tag:blogger.com,1999:blog-22311364.post5837537891129226582..comments2024-03-27T21:40:39.130-07:00Comments on Small Biz Thoughts by Karl W. Palachuk: The Administrative Rights ChallengeKarl W. Palachukhttp://www.blogger.com/profile/10854725002875547297noreply@blogger.comBlogger30125tag:blogger.com,1999:blog-22311364.post-36748804213273726632016-07-09T16:49:11.691-07:002016-07-09T16:49:11.691-07:00Yep, there's a half hour of my time wasted. Bl...Yep, there's a half hour of my time wasted. Blogger - simply the worst blog and commenting platform since cruft was invented. Awesome. /sKevinhttps://www.blogger.com/profile/00588070439046598831noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-528737797338063542016-07-09T14:31:23.888-07:002016-07-09T14:31:23.888-07:00The be honest. This discussion becoming pointless....The be honest. This discussion becoming pointless.<br />You keep repeating your thing and are not responding on the real points people bring forward.<br /><br />I don't care that your clients never had any viruses. That's no proof.<br />Same with asking for a website.<br /><br />You say something like: "I swim in the ocean all the time. I see all kinds of people swim in the ocean. I have never been attacks by a shark. The other people are also never been attacked. Shark attacks are a myth. Show me a place were i can swim and be attacked by a shark. You can't. Oke then i'm right"<br /><br />You don't believe in drive-by's, because you haven't seen them. So the are non existent??? No information on the internet that describes those?<br /><br />Your definitions of a virus installed is also flaky. and your don't really respond if people if the correct you and even give examples. Yes, you could say : he that not installing. No your right.<br /><br />About the webinar the same. It's sound advice as it stops 99,99% of the infections. But i guess he never said that it would stop 100%.<br /><br />Proving a myth wrong goes a little further that your proof method. 99,999 or how many nines you add is not proof of 100%. At best you proof it's rare. and i agree on thatGerard Bakkerhttp://www.radix.nlnoreply@blogger.comtag:blogger.com,1999:blog-22311364.post-37937897774496999842016-07-09T14:24:28.521-07:002016-07-09T14:24:28.521-07:00Kevin, I don't have any other comments awaitin...Kevin, I don't have any other comments awaiting moderation.Karl W. Palachukhttps://www.blogger.com/profile/10854725002875547297noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-21626768259496638812016-07-09T11:18:03.454-07:002016-07-09T11:18:03.454-07:00Note, the first half of my comment is missing here...Note, the first half of my comment is missing here. This was posted in a previous comment. Please publish all of my post.Kevinhttps://www.blogger.com/profile/00588070439046598831noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-10669820802312732172016-07-07T07:20:10.674-07:002016-07-07T07:20:10.674-07:00With all due respect, Andrew, that's not the c...With all due respect, Andrew, that's not the case. I deal with clients almost every day. I manage and deliver their support. And maybe I didn't articulate very clearly. But I promise you there is no web site you can send me to that will infect my computer without my permission. I listened to a webinar on ransomware yesterday. The key message - from someone who supports millions of endpoints - was that the two things that everyone can do to stop this threat are 1) Deny administrative rights, and 2) Educate clients to NOT CLICK. <br /><br />Once you click OK, then the payload can be delivered. And you can do as much damage as your rights allow. But even then, you have to respond to the UAC and say YES, please infect my computer. I'm not saying there's no web site with dangerous popups. I'm saying there are no web sites that I can visit with a secure machine and get automatically infected. I have to click and say OK.<br /><br />In my business, we've managed thousands of endpoints and never had a virus in more than five years. That didn't happen by accident. I don't think my clients are any smarter or more careful than the average user in the U.S.<br /><br />You certainly don't have to take my advice. But I promise you that I do know what I'm talking about. Of course it's not a simple thing and the whole package of what we do involves AV, firewall, etc. Karl W. Palachukhttps://www.blogger.com/profile/10854725002875547297noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-32628333127371103112016-07-07T06:58:14.277-07:002016-07-07T06:58:14.277-07:00 I am starting to think that the real pro... I am starting to think that the real problem here is that while Karl is an outstanding business owner, he lacks the day to day technical experience that would give him the perspective that those of us on the front lines have. He probably is not dealing with this stuff himself.Andrew Sauccihttp://www.2000computer.comnoreply@blogger.comtag:blogger.com,1999:blog-22311364.post-35677089663371008282016-07-05T22:49:20.765-07:002016-07-05T22:49:20.765-07:00(Continued from the first comment)
The Myth #2: Y...(Continued from the first comment)<br /><br />The Myth #2: You can get these viruses even if you are running without Administrative Privileges.<br />--------<br />There are simply too many examples here in the comments that prove you're wrong on this. And, by all rights, your challenge should have completely been invalidated by your lack of understanding of this simple mechanism. The key here (as I and others have mentioned) is in the user's context.<br /><br />What can a "Limited User" do that's malicious then? Surely since they aren't administrators, they can't hurt anything right? They need to be an administrator to encrypt files, right? Let me give you a simple test you can run to see how dangerous a "Limited User" can be in this specific context. Again, I note that you have not specified how "Limited" users are in your myth, so I'll presume that the user has domain over his/her own context - the default state of a Windows-based limited user. Do this.<br /><br />1. Setup your system with a new user and make that user limited by making sure the user is not part of any administrative group on windows. Log out and log in as that user.<br />2. Make some documents (either in Word or Wordpad) and save them as you normally would in that User's %Documents% folder. This is normally what a user would do. That user has done nothing to change context and is still "Limited" and non-administrative.<br />3. Download a portable, single-file encryption tool - I have one I can give you (just ask) - and there are many out there, but this is easier to illustrate with single-file encryption PE tools.<br />4. Either run the tool or save it on the User's desktop (you can!), run it (you can!), and then chose one of the documents you made earlier and encrypt it (you can!).<br /><br />Doing all that, you have replicated the process of what most CryptoLocker viruses do - but you have just done it manually (for the purposes of illustration). None of this required Administrative privileges, application installations processes or any sort of elevation of privileges. All Cryptolocker would do is automate that process (while working on several methods of self-preservation beyond the scope of your challenge). Viruses are written by bad guys (they have to be at least a little dumb to be doing this right?), so many of them are poor and make mistakes on these steps - but the well-made ones are the ones that get to users.<br /><br />None of this happens to your customers? I would submit you're probably looking at the wrong thing, because your customers *have to be able to do work* - that's why they have computers.. Does it ACTUALLY happen? Yes, this is how Windows works! Is it a myth? No. Absolutely not.<br /><br />Regardless of wrong or right, it's always a good thing that people are taking the time (hopefully for others' benefit) to explain what they mean - and perhaps this is where some learning can happen.Kevinhttps://www.blogger.com/profile/00588070439046598831noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-63141452518118198122016-07-02T11:15:30.033-07:002016-07-02T11:15:30.033-07:00Reading the whole discussion it seems that we don&...Reading the whole discussion it seems that we don't complete understand what your challange is.<br />It seems that you state 2 things:<br /><br />1) drive by download dont't excist.<br />2) if they would exist they can't be installed if you don't have admin rights<br /><br />About point 1:<br />if will be hard for us to link you to a site if they exist. they are at least rare and will be disappeared as soon as the are discovered.<br />But the fact that we can't give a link doesn't mean they don't exist. You/we believe in a lot of things we haven't seen but others have<br /><br />About point 2<br />You could be right at this. But as i commented before crypto damage ca be done by an exe file without the need to install. So if a driveby can let you automaticly download and run a file then the user is in trouble.<br /><br />But I also don't really care if drive by exist or not. People click on things. Knowingly or unknowingly even forgetting that they clicked.<br />and then they get the files encrypted. I don't care if it installed or just executed.<br /><br />We have and had to deal with the result. <br />Luckily all our backup procedures where good when our customers got infected. So we have been able to restore them in a few ours.<br /><br />We block a lot with spamfilters, exe and zip blockers and whatever. Still there can always one extra angle we didn't cover. <br /><br /><br />Gerard Bakkerhttp://www.radix.nlnoreply@blogger.comtag:blogger.com,1999:blog-22311364.post-40973855169498184132016-06-30T14:34:43.379-07:002016-06-30T14:34:43.379-07:00Sorry, Anon. The challenge is NOT whether I can wo...Sorry, Anon. The challenge is NOT whether I can work really hard to infect my computer. I can go to that page and download the file. Then I have to use GPEdit to disable Windows Defender and then disable every other AV product. At that point I can extract the .exe file. But running that file from my hard drive is NOT the challenge.<br /><br />The challenge is very simple: Point me to a web page where all I have to do is visit and POOF! my machine is magically infected with crypto locker or some other crypto virus. <br /><br />That's the challenge. Not that I can work for an hour to defeat my own basic defenses. But <b>The Myth:</b> You can get Crypto-locker or other crypto-viruses from just visiting a web site.<br /><br />If your clients tell you that they didn't click on anything, didn't run anything, didn't elevate their privileges, and just magically got a virus, I don't think they're telling the whole story.<br /><br />Even the http://arstechnica.com/ article mentioned above says that these attacks have to install something - You have to click on something and you have to give it permission. It doesn't magically run because you visited the page.<br /><br />I know people want to respond to the comments more than to what I actually wrote. My challenge is not whether I can force viruses onto my system but where I can get them by accident. Because that's what people claim all the time - They did nothing and their machine got infected.<br />Karl W. Palachukhttps://www.blogger.com/profile/10854725002875547297noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-4063659426553614572016-06-30T11:30:00.569-07:002016-06-30T11:30:00.569-07:00Obviously click at your own risk.Obviously click at your own risk.Karl W. Palachukhttps://www.blogger.com/profile/10854725002875547297noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-61198846965069235412016-06-30T11:27:41.225-07:002016-06-30T11:27:41.225-07:00Haven't tried these myself, but give them a go...Haven't tried these myself, but give them a go Karl and let us know how things go:<br /><br />For Cryptolocker (older) use this: https://www.grc.com/malware.htm<br />For the current stuff use this:http://www.malware-traffic-analysis.net/2015/11/30/index.html (under "ZIP archive of the malware" I won't link directly, Password:"infected")Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-22311364.post-77133010976575301132016-06-30T10:58:52.873-07:002016-06-30T10:58:52.873-07:00We are rigorous about admin rights and have had to...We are rigorous about admin rights and have had to clean up some crypto(*) incidents. I don't think anyone is questioning the validity of your methodologies or best or best practicies to the efficacy of those in significantly reducing your risk and exposure. The only point at issue is your assertion that you cannot get crypto without admin rights - this is just not true. lee evansnoreply@blogger.comtag:blogger.com,1999:blog-22311364.post-60418281431071337732016-06-30T10:35:05.530-07:002016-06-30T10:35:05.530-07:00Of course I could be wrong. And I don't use th...Of course I could be wrong. And I don't use this one policy in isolation. <br /><br />But I go to conference after conference where people stand up and say that they are seeing crypto locker everywhere and there's nothing they can do about it. This is a huge thing you can do.<br /><br />And if everyone across the entire enterprise follows a few simple rules, then those rogue executables that we've been blocking since 1992 will never get to your network.<br /><br />I fully admit: If you plug in a USB drive whose source is unknown, don't scan it for viruses, and run an executable, lots of bad stuff can happen. But you have to work really hard to do this. You have to ignore lots of advice. And while my clients might theoretically do that, they don't do it in the real world.<br /><br />I don't know anyone who is rigorous about admin rights who also spends time cleaning up Crypto Locker. Invariably, when they get bit, it's because someone went out of their way to elevate their rights and execute code. Karl W. Palachukhttps://www.blogger.com/profile/10854725002875547297noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-20322826205837215982016-06-30T10:25:23.530-07:002016-06-30T10:25:23.530-07:00Sorry Karl but you got this one slightly wrong, fo...Sorry Karl but you got this one slightly wrong, for the reasons many of the commentors are trying to show you. I have seen with my own eyes crypto style viruses which have hit people who 100% do not have admin. There are probably at least thousands of malicious software which do not need admin. I agree with the principle you are advocating and we are rigorous on the enforcement of this also. I would worry about an element of complacency if you really think you have it all sewn up 100%. Someone mentioned software restriction policies and these are a very good thing to do that can make a huge difference. I am sure you have friends in an AV company or two who can give you the "evidence" you want because you seemingly don't believe all the voices on here could be right and you are wrong?!lee evansnoreply@blogger.comtag:blogger.com,1999:blog-22311364.post-90032179718375691482016-06-27T07:05:24.779-07:002016-06-27T07:05:24.779-07:00On the challenge of not being able to install you ...On the challenge of not being able to install you may be right.<br /><br />But not all cryptovirussen / cryptolockers need to be installed. They need to run.<br /><br />So there is a simple test.<br />For the test I bypass email, as you could have(should have) a exe blocker. <br /> <br />Put putty.exe of an USB drive or download it directly<br />run in on your PC from a user account<br /><br />if putty can, a cryptolocker can. There is little programma skills needed to make an exe or maybe javascript that accesses every file it has acces to and do something with it ( rewrite, delete, encrypt)<br /><br />A real cryptolocker is more complex but in basic it's a file rewrite.<br /><br /><br /> <br />Gerard bakkerhttp://www.radix.nlnoreply@blogger.comtag:blogger.com,1999:blog-22311364.post-45943336397233256032016-06-24T13:33:37.477-07:002016-06-24T13:33:37.477-07:00haha.. Let's keep it respectful Karl.
I thin...haha.. Let's keep it respectful Karl. <br /><br />I think everyone here is respectfully saying your wrong - regardless of the number of years you've been in this business (I've been doing it longer though). This is not some obscure reference to research, it's a clear explanation as to why you can find a computer infected given the basic parameters you've supplied in your article. This is as clear as it can be, whether you choose to accept it or not.<br /><br />Also, I'm happy your customers never get viruses. Perhaps you think you've figured it all out in this regard. That's really ok. Not a day goes by when we're given the gift of a learning opportunity.<br /><br />Perhaps your connotation about some sort of conspiracy to make money off cleaning viruses is a real thing too, but then maybe also the earth is flat, I'm not 100% sure because I haven't (yet) been to space to verify that first hand.<br /><br />But, to your assertion about viruses, you're wrong, wrong, wrong. In fact, if I were to verifiably control the testing conditions (how do I know you'll follow the rules), I'd love to help you get over this hump. But, as they say: "Time is money".Kevinhttps://www.blogger.com/profile/00588070439046598831noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-72678356609591433802016-06-18T07:52:57.054-07:002016-06-18T07:52:57.054-07:00Hmmmm. I don't see that anyone has proven me w...Hmmmm. I don't see that anyone has proven me wrong at all. <br /><br />Where's the code? Where's the magic page? <br /><br />Theoretical discussions by AV vendors are great. And it may surprise you that I actually read that stuff after 25 years in this business. But I do.<br />I rely on them to test these things and constantly improve their products. <br /><br />But my clients basically never get viruses. Ever.<br /><br />I go to conferences all the time and hear people going on and on about crypto viruses and all kinds of stuff. It's clear that they make a great deal of money cleaning up after viruses.<br /><br />I make essentially zero percent of my revenue (and spend zero percent of my time) dealing with viruses. It's not totally due to administrative privileges, but it is due to the five steps mentioned above.<br /><br />You can't solve all the AV problems in the world. If people are browsing the Internet with Windows 95, IE 3, and outdated AV, they're going to get infected. You can't do anything about that.<br /><br />If YOUR clients have new versions of Windows with secure browers, patched systems, a current AV program, a good firewall with an AV module, solid training, and no administrative rights then they won't get viruses either.<br /><br />I'm still waiting for someone to show me where I can browse and infect my machine.Karl W. Palachukhttps://www.blogger.com/profile/10854725002875547297noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-69742998835904056632016-06-17T20:11:36.075-07:002016-06-17T20:11:36.075-07:00Yes, lots of comments, and it's clear how wron...Yes, lots of comments, and it's clear how wrong this article is. Thankfully no one needed to get a virus to "prove" it to you Karl. :) Kevinhttps://www.blogger.com/profile/00588070439046598831noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-63606908437806442672016-06-14T08:38:26.231-07:002016-06-14T08:38:26.231-07:00Karl you know as well as I do that these things ar...Karl you know as well as I do that these things are massively fluid as it's one great big arms race. There's little point me posting a link to a compromised ad server as it will most likely be gone or rendered useless by the time you link to it. It's also highly dependent on whatever the flavor of the day/week/month the current leveraged exploit is. Which is why your Five Steps are excellent as they ameliorate (but don't necessarily eliminate) the chances of getting hit. The sixth is most definitely Web Content Filtering, the seventh (more like 6a) is ad blocking and the eighth is exploit mitigation either as part of your anti-malware or something like EMET or HitmanPro.<br /><br />Rather than play a game of whack-a-mole with you I'll point you to the Arstechnica article that covered the last big round of malvertising that dropped TeslaCrypt on unsuspecting systems. You can read the Trend Micro, Trustwave and Malwarebytes blog entries from there.<br />http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/<br />Oh, and Trend Micro, Trustwave and Malwarebytes aren't talking about theoretical exploits, they're discussing their analysis of in-the wild infections as part of improving their products' detection capabilities.<br /><br />TeslaCrypt ran happily without admin privileges. It just encrypted everything it had permissions to and didn't care that it couldn't take out the shadow copies, thankfully making the recovery process quicker.<br /><br />Agreed, running with admin privileges and reading e-mail and web browsing is just asking for pwnage, but don't think for one minute you're immune to a drive-by infection just because you've turned on UAC.<br />stryqxhttps://www.blogger.com/profile/11725668205462749500noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-3202957288161122262016-06-14T08:05:38.910-07:002016-06-14T08:05:38.910-07:00All good points. But things are so bad now that we... All good points. But things are so bad now that we have reached the point where we have gone as far as we can go with background prevention. The threats are so severe that we have to annoy end users or even fire the clients if we don't get the support we need to block the threats as it now becomes a liability issue. More and more operations are going to have to become "call head cashier."<br /><br /> Also, I never use the term "rights" as it us too emotionally charged. It's always "privileges" with me. Only the owner of a company has any inherent right to use the computers at all, much less access particular web sites or files.<br /><br /> We stopped giving out administrator privileges ten years ago, but that just bought us time. We have already seen more trash than we care to see get onto workstations where the user was not an administrator. It still helps lots and often makes the difference between a reformat and just redoing the user profile, but today, more is needed.Andrew Sauccihttp://www.2000computer.comnoreply@blogger.comtag:blogger.com,1999:blog-22311364.post-24263692598226192592016-06-14T06:50:39.503-07:002016-06-14T06:50:39.503-07:00Thanks for disagreeing without being insulting, An...Thanks for disagreeing without being insulting, Andrew!<br /><br />I'm certainly not advocating that Admin Rights are a cure-all but I'll bet 90% or more of the computers out there are running with local admin privileges and asking for trouble. The basics that we advocate are:<br /><br />Step One: Have a good, current anti-virus program. <br /><br />Step Two: You need a good patch management system. <br /><br />Step Three: No one in your company should have "administrative rights" on your computers. <br /><br />Step Four: You need a good firewall with an anti-virus module installed. <br /><br />Step Five: You need good habits. <br /><br />If I were to insist on a sixth, it would be web based filtering.<br />Karl W. Palachukhttps://www.blogger.com/profile/10854725002875547297noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-62591031745878680102016-06-14T06:36:07.815-07:002016-06-14T06:36:07.815-07:00I have to agree with the opposition here. While on... I have to agree with the opposition here. While only an idiot would run a computer with full-time administrator privileges these days, removing administrator privileges is not a prevent-all or cure-all solution to malware in general. As for ransomware, ultimately the administrator has to be hard-nosed about who gets permissions to things in order to reduce the attack surface. The villain here is "Everyone/Full control" permissions. Just ignore your application vendor when it insists on that and give Modify permissions only to those accounts that need those permissions. Beyond that, be sure to have good backups and push whitelisting of Internet sites on the firewall, if you even want to allow Internet at all. I actually think air-gapped systems will become a necessity not too long from now.Andrew Sauccihttp://www.2000computer.comnoreply@blogger.comtag:blogger.com,1999:blog-22311364.post-57949546680784721252016-06-14T06:02:11.944-07:002016-06-14T06:02:11.944-07:00Okay. If I've learned one thing from being in ...Okay. If I've learned one thing from being in this business 25 years, it's that I may be uninformed on many levels. Please point me to one of these magical web sites. Prove it to me. Theoretical exploits are delightful for scaring people in a group. Show me.Karl W. Palachukhttps://www.blogger.com/profile/10854725002875547297noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-34612562408422063912016-06-14T03:19:35.901-07:002016-06-14T03:19:35.901-07:00Oh, don't get me wrong, I'm not arguing wi...Oh, don't get me wrong, I'm not arguing with all your other recommendations - they're all spot on and should be implemented. It's your naïve and ignorant view that malware needs to be "installed", must need administrative privileges granted to it by the end user either by explicit administrative rights by disabling UAC or via a UAC prompt, and can only cause damage by requiring administrative privileges that I'm trying to address. This is simply one area where you've not done the necessary research to educate yourself properly.stryqxhttps://www.blogger.com/profile/11725668205462749500noreply@blogger.comtag:blogger.com,1999:blog-22311364.post-62814292789609278272016-06-14T03:05:49.215-07:002016-06-14T03:05:49.215-07:00Go read up on the Angler exploit that dropped Tesl...Go read up on the Angler exploit that dropped TeslaCrypt as part of its malware payload. Trend Micro, Trustwave and Malwarebytes all blogged on the topic in March this year. This is the most recent well publicised web-based infection vector for encrypting malware.<br /><br />The encrypting malware isn't installed using any API or other system vector that will trip a UAC prompt. The malware is typically dropped into %APPDATA% - if it's dropped at all (yes, file-less in-memory malware is a thing!) - and will run with the user's current privilege level. If it wants administrative privilege levels then it will gain it through privilege escalation vulnerabilities, bypassing UAC. Failure of privilege escalation (for example, being up-to-date with patching) means that the removal of shadow copies will fail giving the user a possible avenue for recovery without paying for the decryption key.<br /><br />If you're talking about the orginal CryptoLocker, then you're absolutely correct in your assertions, but encrypting malware has moved on since 2013 and your assertions are no longer valid.<br /><br />Again, go read up on Angler and TeslaCrypt. These are just two variants that bust your myths.<br />Pick your favourite anti-malware vendor to give you the expert tear-down of these two variants, as I don't think my words alone will be enough to convince you.stryqxhttps://www.blogger.com/profile/11725668205462749500noreply@blogger.com