Symantec email exploit bites Symantec
-
@powerlord said in Symantec email exploit bites Symantec:
@candlejack1 said in Symantec email exploit bites Symantec:
@Maciejasjmj said in Symantec email exploit bites Symantec:
@kt_ My antivirus strategy generally consists of common sense. I have yet to see software that would infect my PC without me taking any stupid action, and I have yet to see an antivirus that would convince me not to run this piece of software I just willingly downloaded. Either I won't download it in the first place, or I'll figure it's one of a billion false positives.
There were situations were viruses that attack IPs at random would find flaws in your system, if you connected directly to the internet, it happened to WinXP.
This is one of the rare cases in which a home router would actually save you as attacking an IP at random would hit the router and not the devices behind it.
And as early adopters of ipv6 are finding out - the technical limitations of NAT no longer protect their systems...
-
@cheong said in Symantec email exploit bites Symantec:
@anotherusername You see there is Advertisement that hosted in Yahoo sites? Some malicious people registered the Ad hosting service and placed some Flash with content that can trigger Flash player related vulnerabilities. If you visit that site without Flash disabled, no matter you visit via Chrome or IE, even if you do not click on the Ads, the ransomeware will be executed on your system, encrypting your files and demands you money to get back the key for decryption.
This first happens on Yahoo Japan and a few months later also in Yahoo Taiwan.
Btw, just read news that they're now targeting the Ads stock trend commentary sites because their computers are "higher value target" and most of these site's visitors are also using website that use Flash to plot graphs therefore these visitors have higher chance getting hit by them.
-
@martijntje said in Symantec email exploit bites Symantec:
@powerlord exactly what does a home router do differently here? The only thing I can think of is the firewall they usually come with that is enabled by default.
They're just a basic NAT system.
A router performing NAT generally won't route traffic from external hosts to an internal machine unless one of the internal machines sent packets out to said host first.
Of course, you can set up port forwarding or UPnP and such for protocols that need to expect incoming traffic from machines you haven't contacted first (like BitTorrent).
-
@dkf said in Symantec email exploit bites Symantec:
@anotherusername said in Symantec email exploit bites Symantec:
setting it up doesn't require elevation. Just logging in as an administrator.
Logging in as administrator is a form of elevation. Maybe not the one you were thinking of, but it's definitely on that scale.
It's not. Under UAC, ordinary non-elevated processes have a bunch of privileges stripped out of their process token -- they don't exist, so the processes can't even request to enable them.
-
@martijntje said in Symantec email exploit bites Symantec:
@powerlord exactly what does a home router do differently here? The only thing I can think of is the firewall they usually come with that is enabled by default.
Because the only device that has an externally routable IP is the router. Everything else has a local IP address. So, with the router in front of it, your computer is not directly IP-addressable from the outside. (Unless you put your computer in its DMZ, or turn on port forwarding. But those aren't on by default; they require explicit settings in the router's configuration.)
The router will manage open connections to the outside that are initiated by your computer, so that it's able to communicate, but it has to initiate the connection. It can't receive incoming connections from the outside, unless you explicitly enable them in the router's configuration.
-
@anotherusername said in Symantec email exploit bites Symantec:
It's not.
There are additional privileges granted, though much less than through full elevation, so there most definitely is some elevation. Compare with a fully restricted account.
-
@anotherusername said in Symantec email exploit bites Symantec:
The router will manage open connections to the outside that are initiated by your computer, so that it's able to communicate, but it has to initiate the connection. It can't receive incoming connections from the outside, unless you explicitly enable them in the router's configuration.
When home routers that work over IPv6 start to become common, it would make sense for them to have default firewall rules in place that handle LAN vs WAN traffic in exactly this way. You don't actually need to munge the IP addresses to enforce connection initiation only from the LAN side.
-
My modem/router has both an IPv4 and an IPv6 address. Hosts automatically get an IP address in the assigned /48 range and a NATted IPv4 address of course.
Only if a host does not support IPv6 yet does it fallback to the NATted IPv4. It does come with a built-in firewall though so in that setting it's probably but very different from the setup used on more enterprisey equipment.
-
@cheong said in Symantec email exploit bites Symantec:
@error There is a command audit2allow that will check the log files to help you adjust the SELinux policy so SELinux won't get in the way of your daily activities.
-
selinux is further the evidence that security people just want us to give up using computers, so we're safe from them.
-
@anotherusername said in Symantec email exploit bites Symantec:
@Medinoc setting it up doesn't require elevation. Just logging in as an administrator.
It does, I just checked. At least, if you're on Windows 7 with UAC set to "Always Notify" instead of "security theater". You can't access the services, or the task scheduler, or anything that uses the MMC, without Elevation.
-
@anotherusername said in Symantec email exploit bites Symantec:
UAC is designed so that you can use an admin account and processes that you start aren't supposed to be elevated unless you confirm a UAC prompt.
Right, but this isn't an automatic thing happening when you run a program. You've explicitly told it to elevate, just with this interface, not a pop-up.
-
@Medinoc it doesn't at the default level: "Default - Notify me only when programs try to make changes to my computer. Don't notify me when I make changes to Windows settings".
-
@anotherusername said in Symantec email exploit bites Symantec:
@Medinoc it doesn't at the default level: "Default - Notify me only when programs try to make changes to my computer. Don't notify me when I make changes to Windows settings".
That's what I just said. You have it set to "security theater" mode.
-
@ben_lubar said in Symantec email exploit bites Symantec:
I want an OS where programs can only open files that either they created or that were opened using an OS-provided file chooser dialog.
Maemo (Linux for Nokia tablets) used to run each installed package as a different UID so their opportunity to mess with each other was limited. But that was over a decade ago so the current state of affairs must be much better than that by now.
-
@another_sam said in Symantec email exploit bites Symantec:
@ben_lubar said in Symantec email exploit bites Symantec:
I want an OS where programs can only open files that either they created or that were opened using an OS-provided file chooser dialog.
Maemo (Linux for Nokia tablets) used to run each installed package as a different UID so their opportunity to mess with each other was limited. But that was over a decade ago so the current state of affairs must be much better than that by now.
Sounds like what Android and UWP apps are doing, actually...
-
@another_sam said in Symantec email exploit bites Symantec:
Maemo (Linux for Nokia tablets) used to run each installed package as a different UID so their opportunity to mess with each other was limited. But that was over a decade ago so the current state of affairs must be much better than that by now.
You'd like to think so, right?
That's how Android works--a different user for each app.
-
@Tsaukpaetra said in Symantec email exploit bites Symantec:
UWP apps
I'm not sure--I don't think UWP apps run as a different user, I think they run in a security context where they don't have access to the whole filesystem.
-
@Medinoc said in Symantec email exploit bites Symantec:
You can't access the services, or the task scheduler, or anything that uses the MMC, without Elevation.
The PoC exploit uses a) command line, so no MMC, and b) Windows 8, even explicitly stating that it's a regression caused by a changed security model of scheduled tasks.
-