Malvertising, drive by downloads
June 4, 2016 10:57 AM Subscribe
How safe is it really, to surf the web these days on a modern Windows PC?
I've been doing a bit of reading recently about malvertising and drive by downloads (the no click required variety), as well as redirection attacks etc.
Most of my computer knowledge is now about 10 years out of date, but it appears to me that a decade ago, so long as you stayed off of porn sites and the like, didn't download files from anywhere suspicious, had an up to date firewall/anti-virus and ran Windows in a limited account you were pretty much going to be OK.
However, it now seems that even if you do all of this, these days you can still quite easily be infected even if you do nothing 'wrong'. So how likely is this threat?
Is the solution to stick to surfing the web on sandboxed devices like Ipads or obscure versions of Linux whilst only using Windows for stuff that only a MS PC can do? Is it just accepting that you should probably wipe your computer and re-install every year like we did back in the Win9x days, even if nothing is wrong?
Would be interested in hearing from anyone involved in IT for a living what they think, and how current practice relates etc.
I've been doing a bit of reading recently about malvertising and drive by downloads (the no click required variety), as well as redirection attacks etc.
Most of my computer knowledge is now about 10 years out of date, but it appears to me that a decade ago, so long as you stayed off of porn sites and the like, didn't download files from anywhere suspicious, had an up to date firewall/anti-virus and ran Windows in a limited account you were pretty much going to be OK.
However, it now seems that even if you do all of this, these days you can still quite easily be infected even if you do nothing 'wrong'. So how likely is this threat?
Is the solution to stick to surfing the web on sandboxed devices like Ipads or obscure versions of Linux whilst only using Windows for stuff that only a MS PC can do? Is it just accepting that you should probably wipe your computer and re-install every year like we did back in the Win9x days, even if nothing is wrong?
Would be interested in hearing from anyone involved in IT for a living what they think, and how current practice relates etc.
Spent a number of years doing Windows support and had to clean off a ton of malware. My home computers are Windows boxes, and with precautions I don't worry much about surfing safety. Here's what I'd recommend:
-This is the most important aspect of security: Back up your data so if you get hacked you don't lose anything. Cloud backup solutions may suffice for you; I have too much data. I back up everything to encrypted external hard drives. Two sets, one kept at my house and another kept at my office. I also back up an image of my C: drive so restoring from scratch is simple.
-Use a password manager like Lastpass or Keepass and follow its recommendations about using strong passwords, not re-using passwords, and using two-factor authentication for high-value accounts like your password manager, cloud backup, Gmail accounts and bank accounts.
-Use the following plugins: Ad Block Plus, Disconnect, and HTTPS Everywhere.
-Use common sense. You know offers for free stuff are not free. Unexpected emails from Microsoft or your bank asking for personal info are fake. Delete them. If you're truly worried, call your bank and verify your account is OK.
-This one is passive: Let Windows and your browser auto-update to apply security patches.
posted by lefty lucky cat at 11:17 AM on June 4, 2016 [5 favorites]
-This is the most important aspect of security: Back up your data so if you get hacked you don't lose anything. Cloud backup solutions may suffice for you; I have too much data. I back up everything to encrypted external hard drives. Two sets, one kept at my house and another kept at my office. I also back up an image of my C: drive so restoring from scratch is simple.
-Use a password manager like Lastpass or Keepass and follow its recommendations about using strong passwords, not re-using passwords, and using two-factor authentication for high-value accounts like your password manager, cloud backup, Gmail accounts and bank accounts.
-Use the following plugins: Ad Block Plus, Disconnect, and HTTPS Everywhere.
-Use common sense. You know offers for free stuff are not free. Unexpected emails from Microsoft or your bank asking for personal info are fake. Delete them. If you're truly worried, call your bank and verify your account is OK.
-This one is passive: Let Windows and your browser auto-update to apply security patches.
posted by lefty lucky cat at 11:17 AM on June 4, 2016 [5 favorites]
I'm an engineer now, but i was in IT first. You can browse the web on a Windows PC provided you've reasonably protected it, and run some maintenance tasks periodically. I've never wiped my PC when nothing is wrong, so I can't speak to that.
I use adblocking and scriptblocking extensions in my updated browsers. I disable Java, Flash, QuickTime, and other easy vectors. I use a password manager, and run antivirus, malwarebytes antimalware, and spybot search & destroy often, and keep them updated. Spybot in particular has a basic immunization feature that I'm sure has saved my ass without me even knowing it. I really think that wiping the computer periodically or using a VM for browsing are wayyyy too inconvenient to bother with. I use my head and don't go out looking for trouble on the web (movie downloads, software cracks, etc).
That said, for work or content creation, I would never use a Windows PC. Nope nope nope nope. I know not everybody's got that option, though.
posted by destructive cactus at 11:20 AM on June 4, 2016 [1 favorite]
I use adblocking and scriptblocking extensions in my updated browsers. I disable Java, Flash, QuickTime, and other easy vectors. I use a password manager, and run antivirus, malwarebytes antimalware, and spybot search & destroy often, and keep them updated. Spybot in particular has a basic immunization feature that I'm sure has saved my ass without me even knowing it. I really think that wiping the computer periodically or using a VM for browsing are wayyyy too inconvenient to bother with. I use my head and don't go out looking for trouble on the web (movie downloads, software cracks, etc).
That said, for work or content creation, I would never use a Windows PC. Nope nope nope nope. I know not everybody's got that option, though.
posted by destructive cactus at 11:20 AM on June 4, 2016 [1 favorite]
(Credentials: I don't claim to be a security expert, but I do Web development for a living and I try to stay on top of this stuff.)
There's a lot of FUD out there. These are the possible attack vectors, as far as I can tell:
Note that this applies to "drive-by Russian hacker" levels of threat. If your enemy is some three-letter American government agency, all bets are off.
@SwiftOnSecurity's Decent Security site is a pretty good resource if you're interested in this stuff.
posted by neckro23 at 11:39 AM on June 4, 2016 [4 favorites]
There's a lot of FUD out there. These are the possible attack vectors, as far as I can tell:
- Direct attack on the system (e.g. SMB or ActiveDirectory exploits) -- Windows XP was notorious for this. Modern Windows doesn't really have a problem. Mitigated by using a firewall. Most everybody is using NAT these days, so not an issue anymore.
- Plugin exploit -- ActiveX/Java/Flash exploits were (and still are) very common ways to get infected by malware. Mitigated by disabling all plugins, and only enabling them (if necessary) for sites that you trust.
- XSS/phishing exploit -- Won't get you infected, but might do funny business with your Facebook/Twitter/Google account. Generally not a problem, unless you get fooled by a shady site or someone finds an unpatched hole in a popular site's security.
- Browser exploit -- Generally these don't exist. Modern Web browsers are very tightly locked down. Auto-updates (Chrome, Firefox) help a lot with this.
Note that this applies to "drive-by Russian hacker" levels of threat. If your enemy is some three-letter American government agency, all bets are off.
@SwiftOnSecurity's Decent Security site is a pretty good resource if you're interested in this stuff.
posted by neckro23 at 11:39 AM on June 4, 2016 [4 favorites]
I did first level support on an aging fleet of WinXP (before end of life) and Win7 machines once upon a time, ending about 18 months ago. Hard cases I turned over to our support company, and they usually took them out back and hosed them down at that point, but here are my observations:
- provided AV and a firewall was being run and the browsers were relatively modern, AND the websites being visited by users were not too dodgy (more on that in a minute), there were few problems.
- the vector for most of the problems was email scamming, spamming, phishing, etc. We installed a better email filter program, which got rid of a lot of spam, and our problems went down dramatically.
- on the subject of dodgy websites - on one level, my highest risk users were artists who were obliged (by penny-pinching company managers) to go to sites that offered free fonts, and also going to look for images similar to what customers wanted. They frequently told me that they needed to bypass/unblock sites that were blocked by default in our firewall. However, these people rarely got bitten, because they were my more savvy users. So they were on dubious websites, but smart enough to know where to click. Not a recommended strategy - smarter to just stay away from dodgy websites. But it illustrates how most exploits on a Windows box start with emails and social engineering.
My accounting department had the worst time of it, because their level of sophistication in using PCs (outside of the accounting software itself) was kind of meh, and they got tons of REAL emails telling them to go somewhere and pay a bill. So they were already kind of wired to read emails and do what they told them to do.
On the personal PC(s) I own, I use AVG free level, and I have taken to putting Malwarebytes paid level (which does more prevention, whereas the free version will try to fix problems after they occur) on the PCs of some of my household users who seem to have problems more often, and all my email is basically a gmail or Google apps inbox running either through a browser or an app of some kind. I'm also using Chrome and Adblocker.
posted by randomkeystrike at 11:42 AM on June 4, 2016 [2 favorites]
- provided AV and a firewall was being run and the browsers were relatively modern, AND the websites being visited by users were not too dodgy (more on that in a minute), there were few problems.
- the vector for most of the problems was email scamming, spamming, phishing, etc. We installed a better email filter program, which got rid of a lot of spam, and our problems went down dramatically.
- on the subject of dodgy websites - on one level, my highest risk users were artists who were obliged (by penny-pinching company managers) to go to sites that offered free fonts, and also going to look for images similar to what customers wanted. They frequently told me that they needed to bypass/unblock sites that were blocked by default in our firewall. However, these people rarely got bitten, because they were my more savvy users. So they were on dubious websites, but smart enough to know where to click. Not a recommended strategy - smarter to just stay away from dodgy websites. But it illustrates how most exploits on a Windows box start with emails and social engineering.
My accounting department had the worst time of it, because their level of sophistication in using PCs (outside of the accounting software itself) was kind of meh, and they got tons of REAL emails telling them to go somewhere and pay a bill. So they were already kind of wired to read emails and do what they told them to do.
On the personal PC(s) I own, I use AVG free level, and I have taken to putting Malwarebytes paid level (which does more prevention, whereas the free version will try to fix problems after they occur) on the PCs of some of my household users who seem to have problems more often, and all my email is basically a gmail or Google apps inbox running either through a browser or an app of some kind. I'm also using Chrome and Adblocker.
posted by randomkeystrike at 11:42 AM on June 4, 2016 [2 favorites]
An ad blocker (such as uBlock) is essential for both your sanity and your safety. I also recommend Ghostery, as well as not using Java/Flash/QuickTime, and doing regular backups. Other than that, your basic safety practices are enough, I think.
Also, use a password manager or some password system that enables you to use different, nontrivial passwords on each of your online accounts (in other words, no sharing passwords between accounts).
posted by gakiko at 12:28 PM on June 4, 2016 [1 favorite]
Also, use a password manager or some password system that enables you to use different, nontrivial passwords on each of your online accounts (in other words, no sharing passwords between accounts).
posted by gakiko at 12:28 PM on June 4, 2016 [1 favorite]
Data point: I've been browsing the internet on a Windows 7 PC for a couple years without wiping it clean, no viruses yet, or at least none detected.
Ad block and NoScript will defend quite ably against drive-by exploits. Everything else can be handled by being reasonably careful about what software you download.
posted by BungaDunga at 12:30 PM on June 4, 2016
Ad block and NoScript will defend quite ably against drive-by exploits. Everything else can be handled by being reasonably careful about what software you download.
posted by BungaDunga at 12:30 PM on June 4, 2016
On Windows 10 using adblockers on Chrome and Firefox (and only using IE for one stupid website where I have no choice), 8-10 hours a day with a fair amount of both entertainment surfing and tech article searching (and some of those sites are suspicious as hell), running Windows Defender and Windows Update with auto-updates turned on, I have had one pop-up malware warning in 10 months. (This is my work laptop even though it lives in my home, so I stay off of adult sites and don't torrent from it. I'm not pushing it terribly hard, but it's getting used.)
I don't have any other add-on security. Usually I would eventually end up with Malwarebytes on it (I did have it on here when it was Windows 8) but the standard Windows solutions + AdBlock Plus has been sufficient so far.
posted by Lyn Never at 12:49 PM on June 4, 2016
I don't have any other add-on security. Usually I would eventually end up with Malwarebytes on it (I did have it on here when it was Windows 8) but the standard Windows solutions + AdBlock Plus has been sufficient so far.
posted by Lyn Never at 12:49 PM on June 4, 2016
I netadmin a school full of Windows PCs, and all my boxes at home are 100% Debian.
That said: in 2016, the single most effective anti-malware measure you can employ on any personal computer running any OS - more important than antivirus by an order of magnitude, given anything even vaguely resembling prudent browsing practices - is a reliable advertising blocker. It's just a fact that 99% of the malware infecting today's PCs arrives via advertising servers. Block those and you're pretty much golden.
uBlock Origin works well for Chrome and Firefox. There is still nothing anywhere near as good available for any of the Microsoft browsers (an IE version of Adblock Plus exists, but as far as I can tell there is no way to customize its blocking lists) so the old, old advice to avoid using Internet Explorer on security grounds now applies to Edge as well, despite the effort MS has put into protection and sandboxing.
If you're comfortable with sites not working the first time you visit them, install NoScript as well. I used to recommend NoScript across the board, but the modern Web is now so heavily reliant on Javascript and auxiliary servers even for non-advertising purposes hat using NoScript now requires a modicum of understanding.
For antivirus, I continue to recommend Panda Free Antivirus over either the Windows Defender that comes built into Windows these days or any other on-demand anti-malware scanner, paid or otherwise. It works, it's quick and it's quiet. But you do need to exercise caution while installing it because Panda's marketing people have been busy making side deals with foistware providers.
posted by flabdablet at 9:33 AM on June 5, 2016
That said: in 2016, the single most effective anti-malware measure you can employ on any personal computer running any OS - more important than antivirus by an order of magnitude, given anything even vaguely resembling prudent browsing practices - is a reliable advertising blocker. It's just a fact that 99% of the malware infecting today's PCs arrives via advertising servers. Block those and you're pretty much golden.
uBlock Origin works well for Chrome and Firefox. There is still nothing anywhere near as good available for any of the Microsoft browsers (an IE version of Adblock Plus exists, but as far as I can tell there is no way to customize its blocking lists) so the old, old advice to avoid using Internet Explorer on security grounds now applies to Edge as well, despite the effort MS has put into protection and sandboxing.
If you're comfortable with sites not working the first time you visit them, install NoScript as well. I used to recommend NoScript across the board, but the modern Web is now so heavily reliant on Javascript and auxiliary servers even for non-advertising purposes hat using NoScript now requires a modicum of understanding.
For antivirus, I continue to recommend Panda Free Antivirus over either the Windows Defender that comes built into Windows these days or any other on-demand anti-malware scanner, paid or otherwise. It works, it's quick and it's quiet. But you do need to exercise caution while installing it because Panda's marketing people have been busy making side deals with foistware providers.
posted by flabdablet at 9:33 AM on June 5, 2016
Be very wary of any email with attached Word docs, as in, don't open it. Ransomware is unpleasant, encrypting documents and pictures. Mobsters are targeting employment ads on craigslist and other sites.
posted by theora55 at 11:37 AM on June 5, 2016 [2 favorites]
posted by theora55 at 11:37 AM on June 5, 2016 [2 favorites]
Oh, if only I could persuade the school staff not to use this antipattern constantly... the need to type words into a computer causes several of them to reach reflexively for Word, and having typed what they need to, they always send the resulting .docx as an attachment - usually with no subject or body text, but sometimes with their own name as the "subject".
Email is not that hard, people.
posted by flabdablet at 12:32 PM on June 5, 2016
Email is not that hard, people.
posted by flabdablet at 12:32 PM on June 5, 2016
This thread is closed to new comments.
If you're willing to put in some work, you can set up VMWare player with a Linux virtual machine and do your browsing inside it. There's an option to make it appear that windows in the VM are just windows in the host OS so it's relatively seemless. An NDA level opponent might escape the VM sandbox, but that's not what you need to worry about.
posted by Candleman at 11:14 AM on June 4, 2016 [1 favorite]