Not possible it came from Pinside. One has nothing to do with the other.

I need to start spreading this rumor:

"Oh yeah, stay out of that 'Testing the Moderator' thread! It'll ruin your computer!!"

Pete

You can't get a virus from a video OR a photo. Unless you click on a link embedded in a video on youtube which takes you to a site that has malware AND you click "Install" or something similar.

Contrary to popular belief you can NOT get a virus just by visiting a website. Ever. The user needs to accept/install something when prompted. Malware creators make those prompts look common or innocuous but nevertheless they require user intervention.

well, that's entirely not true, particularly if your browser or OS are out of date. in general though, yeah, 95% of viruses are because someone wasn't paying attention and clicked "ok" on some dialog they shouldn't have.

Yeah I'm always annoyed when I fix someone's computer (read: Mom's computer ) and I ask 'Ok what did you click on or do?'

Answer: "Nothing"

*sigh* you did something

I know that I had to wash my eyes once from it. My computer's fine though.

Or if the website you're visiting has been compromised then you can be subject to a "drive-by" with nothing required from the user other than visiting the page.

viperrwk

Anyone recommend running anything besides already paid for and installed Norton protection? I get Firefox popups quite a bit on my Asus laptop. thanks, ant

I would download Adblock Plus (free extension / add-on within Firefox), download and run MalwareBytes (free trial), disable popups under browser options, and stick with Norton unless your computer is running slowly. Norton eats up a lot of resources. Gobble.

The only browser that ever allowed that was with IE6 and the default of accepting Active X controls. Even that was patched

You are very, very wrong. Web-based viruses that silently exploit flaws in browsers/plugins are extremely common. Users do NOT need to 'click something' to get infected.

Please, stick to powdercoating, as you obviously have no clue regarding malware propagation.

no, not generally, unless your browser is vulnerable (out of date).

Norton is a scam. what it's best at is slowing your computer down.

keep your browser and OS up to date and don't click "ok" on anything without reading it first and you'll be fine. if you want more protection than that, I highly recommend MalwareBytes.

Your browser is always vulnerable. There may be some rare times when it's not, but really, treat it as such. The more stuff you add to it (acrobat, etc), the more vulnerable it becomes.

Google a bit on zero-day exploits... also actually read some of the KB advisories Microsoft puts out with all their patches. You'd be surprised how many describe situations where a system can be compromised by remote code w/o any user intervention. Noscript is a great plugin to help combat a lot of that malware...

You are right about browser exploits, but this comment wasn't necessary. Pinchroma is a talented computer scientist.

Sorry Wolf (and Pinchroma), I just hate seeing very bad advice being put out by people who should know better.

I wouldn't be surprised because patching vulnerabilities is literally my job. spent the last couple weeks developing mitigation strategies for Shellshock. granted, most of the systems I'm in charge of are Solaris, but there are Windows clients too. I stand by what I said - successful attacks without any user action are extremely rare, and the vast majority of these only work on old, unpatched systems. new vulnerabilities come out daily (shellshock, heartbleed, perfect examples, even though those weren't viruses), and Mozilla / MS / Oracle etc. are constantly pushing security updates.

If you are in charge of a critical DoD system for example, sure, take every possible precaution, but ALL security is about finding the sweet spot between security and usability. And the truth is that from the end user's perspective, Norton is a waste of time and money. it costs money, and is a constant drag on resources, only to catch virtually nothing that wouldn't be caught more gracefully by keeping your crap patched and running MalwareBytes.

the only situation in which I would recommend Norton is if you have a grandparent who can't stop clicking on popups.

LOLOLOLOL As if you think Powdercoating is what I do for a living? . Exploits such as drive by downloads make use of various browser based exploits for dropping files in places such as tmp download directories and your browsers cache directory however they would need to perform a remote code execution in CONJUNCTION with the drive by to get the malware to proliferate and for that you need some type of acknowledgement. Both drive by's and RCE's are patched within 24-48 hrs of a CVE generation and rarely if ever do they exist in parallel.

Viruses and malware are proliferated via web pages from stupid users. Now once one has made it's way onto a network there are a whole host of mechanisms for it to proliferate such as my personal favorite a dumb sysadm with domain admin rights on his user account. That's always great one.

^^^ This.. Successful attacks without any user action are not only extremely rare they are extremely small in scale and VERY targeted.

Wrong. There is a lot of malware that can infect a computer through known exploits. Usually it's not the website that serves up the malware, but an embedded advertising link. You just have to visit a website and if your system is vulnerable, poof you are infected. There's also the standard type that try to trick you into installing it, but those are easier to avoid.

Rob

You are safest if you stay away from Internet Explorer and MS Windows entirely. Most other operating systems (OSX, Linux, ChromeOS, etc) have much better security controls in place to avoid such issues. It is most common that your browser gets hijacked by websites that claim to "make your computer faster" "optimize the internet" "scan for viruses now?" "remove malware".. once you agree, they actually install viruses, trojan horses, and malware. It's best to pick a product you know and control (I use AVG Free) and install absolutely nothing else that claims to make your computer better. I can't tell you how many frustrating hours I've spent cleaning up other people's windows boxes and browsers from the after-effects.

Care to elaborate? I'd love to see this one

P.S. If anyone wants to go toe to toe with me on this topic let's see your CVE's and Reports as well as exploits you have personally written.

I'll be GLAD to provide mine

true, but less true than it used to be. heartbleed and shellshock are two recent vulnerabilities that affected Unix-derivative systems (including Mac).

most commonly, they target the least computer-savvy among us with popups that try to look like Windows dialog boxes. it's a bummer because these people are already intimidated by technology, and then their computer is actively trying to trick them into looking dumb.

I support a 1000 Server, 20,000 user government domain. I have over 25 years experience in IT as well. I don't need to go toe to toe with anyone. If you think malware cannot infect an unprotected system by just visiting a website then you are naïve. Its usually not the website, but the embedded ads that cause the issues.

Rob

Heartbleed and Shellshock are interesting. Both easily preventable with a little code QA and it's amazing how long they actually existed before they were found.

It was disheartening to hear how easily bash was exploited with just a few environment variables. Luckily it didn't include a privileged escalation exec (granted someone isn't dumb enough to have log in directly as root remotely enabled in ssh or have configured passwordless sudo )

Wow 1000 Servers. That's Huge...

I designed an architecture with 115,000 servers with 900,000 users. I also discovered a ton of exploits that you spend time patching.

And don't take this the wrong way but there is a reason governments call in independent security folks on a regular basis.

Please find me a CVE that dictates malware installation without user intervention? If you do i'll concede. You won't but i'll play.

You sound special then, good for you! But since you need to make this a pissing match, I'll leave you alone with your ego and exploits.... Have a nice day.

Rob

there will be more to come. I think it's the tip of the iceberg.

Luckily it didn't include a privileged escalation exec (granted someone isn't dumb enough to have log in directly as root remotely enabled in ssh or have configured passwordless sudo )

yeah, exactly. systems that are already left running with the doors unlocked and keys in the ignition are in trouble! panic! the threat was overblown in the media, but it's still amazing how many years (decades?) that little bug has been around before people noticed.

I'm giving you the opportunity to prove me wrong. You said I was incorrect. It's easily verifiable that I am. Please go ahead and do so. It's all public info? Post the CVE to the malware you were talking about that doesn't require any user interaction? I'll gladly concede if you find one that isn't 10 years old.

Pez there will always been more to come. Heartbleed was a valid concern given what data was exposed. Shellshock is just an annoyance on a properly secured system.

I got a virus...but I'm pretty sure it came from a baywatch machine I recently played...

As a fellow IT nerd, it is fun watching half of you IT nerds spell Potato while the other half spells Potatoe...... Ignoring all the other credentials and talk about our "support size", you guys crack me up. Lets just go ahead and call this one what it is- PEBKAC.

Oh and until about 6 months or so ago..... Java was a four letter word on my network.

Can we go back to bashing JPOP or LEDs now?

Maybe it is the ebola virus? Remebre, before the days of the internet ebola was just the bola virus.

I think I got a virus reading this thread because my head is pounding right now.......

HAHAHA

Rob, pinchroma has gone back to his arrogant, i can do no wrong mode. Don't bother. His comment that most patches are released within 48 hours of a confirmed exploit alone is laughable.

To the rest of pinside, trust those of us who have dealt with this stuff for decades. Alex is wrong; most exploits these days are silent infections using exploits in various active applications.

http://security.stackexchange.com/questions/67011/how-to-execute-an-exploit-without-user-interaction

http://www.zdnet.com/blog/security/new-targeted-mac-os-x-trojan-requires-no-user-interaction/11545

http://en.wikipedia.org/wiki/Drive-by_download (2nd definition)

http://www.f-secure.com/weblog/archives/00002341.html

Alex, now will you please hush and stop spreading bad advice?

Incorrect. Very Very incorrect. I didn't say patches are released in 48 hours. I said patches are released within 24/48hrs of a CVE generation if you know what that is? Again I'm giving you guys an opportunity to prove me wrong. The data is right there publicly. Find it and prove me wrong. You can talk all you want as I actually write a few CVE's weekly. I'm asking you to prove me wrong and all you are doing is telling me i'm incorrect with nothing to substantiate your claims.

We're not diuscussing CVEs or patch timing. We're talking whether it's possible to get infected by malware without any user intervention.

This above is specifically where you are not only completely wrong, but you are putting others at risk with your bad advice. Please, stop!

Thanks you proved my point. None of those are browser based. They are Java based which you as a user have to INHERENTLY provide run access to UNLESS you set your java parameters to the lowest security settings.

And a Drive by as you listed it is also perfect:

"Any download that happens without a person's knowledge, often a computer virus, spyware, malware, or crimeware.[1]" Downloads happen all the time. But are N O T E X E C U T E D!

It all goes back to stupid users. Plain and simple.

All I know is I've been an online computer user since the old BBS days and was around for the infancy of the world wide web. I've never been a big user of antivirus software or anti-malware until after I've been infected and need to remove or scan for an issue. I find the burden and cost of such software far outweighs its effectiveness.

So with that said, I can state with 100% certainty that every single piece of malware and/or virus I've acquired or contracted over the last 20+ years was due to a direct action from myself. Certainly not a statistical sample but it's something.

Keep reading..

"A drive-by install (or installation) is a similar event. It refers to installation rather than download (though sometimes the two terms are used interchangeably)."

Only some exploits are java, most use acrobat, some use flaws in the OS itself. Most show no user prompts whatsoever.

Alex, I don't know what is wrong with you, but your arrogance will be your downfall.

Because that's how they predominantly work I don't even run any malware detection. Never have and never will. Yet I never get infected regardless of the absurd amount of risky security related sites i have to visit. Ones designed to do exactly what we are arguing about.

Simple rules of thumb,

Don't click install / yes on anything prompted in a browser.
Set your java to prompt for execution.

Problem solved.

You definitely sound like a guy that doesn't support a network of users. There is a lot of bad programming done on many apps that users are forced to use as part of their daily environment. They aren't stupid users by any means, they are just forced to use software that was written poorly (including text that specifically states- "Yes/install").

While it is all about user end training, striking a balance between security and functionality will always be the greatest challenge on any network. Finding that sweetspot is the key to making any network operate smoothly.

You are mistaking Arrogance for Experience. This is what I do all day every day. I just don't like it when those who don't have explicit knowledge have to source wikipedia as a reference guide.

There are exploits. Plenty of them. (Over 60,000 known at this time). A large amount at the OS level however are mitigated by the fact we are all sitting behind NAT's now-a-days and none of our machines are there to be slammed on. It takes user interaction for anything not public facing to be exploited. Social Engineering plays a role in that as well.

Simple fact is, a machine you can't get to, you can't exploit. It always takes a user. Plain and simple.

Man whomever thought a a thread aboot PC Security could be so boring

Uninstall Java.

Your computer instantly becomes 20x safer, runs faster, and 99% of people will never know it's gone.

Users in the support perspective should never have the access to install anything on their desktops. A properly maintained environment is done centrally with minimal access allowed at the desktop level. They shouldn't be in the habit of clicking yes/install on anything. They should never see that prompt and if they do it should be clearly documented to hit "X" or "NO". Environment management tools make it so that the user environment becomes homogeneous and in some ways almost self regulating if setup properly.

It is true finding a sweet spot between security and usability is a challenge but depending on your vertical it may actually be easy. I'm my arena security trumps nearly everything.