Search engine results increasingly poisoned with malicious links Malware threats in search results are getting worse despite the best efforts of Google and other vendors. The number of infected results has been increasing year by year since 2013 despite the application of multiple tools and technologies designed to exclude dodgy links, according to a study by independent anti-virus testing …
... or were overly concerned, I'd browse from a desktop computer with no permanent storage (other than BIOS) and booted from live BSD CD/DVD.
That should do the job for the hardware.
The trick then is that the wetware needs to be sure NOT to enter any personal data.
Thoughts from the hot tub...
...Cirdan...
(Icon as a placeholder for the BSD daemon)
"Then you find out that the malware is capable of infecting hardware, persisting across reboots, infecting other machines on your network AND escaping VMs to attack machines there."
Do you?
Citation needed. Citation should specifically address BSD as the live OS as that was specified by the OP.
-- attacking, say, VMs running in instances of read-only Linux which could compromise hardware would:
1. Require the attackers to do a lot of time-consuming development on hypervisor attacks, Linux vulnerabilities, and low-level hardware coding,
2. Result in access to a few tens of thousands of PCs worldwide.
In other words, a lot of damned dev work for a truly tiny return on investment.
IMHO, security is never about absolutes. It's about the odds. Don't bet money when you draw to an inside straight and don't walk through Hyde Park after midnight carrying a manpurse of cash, because the odds won't ride with you. Do browse using VMs and Linux, because the odds are that very few if any attacks are being written to exploit those combinations of platforms.
Just my own malformed opinion, of course.
"1. Require the attackers to do a lot of time-consuming development on hypervisor attacks, Linux vulnerabilities, and low-level hardware coding,
2. Result in access to a few tens of thousands of PCs worldwide."
1. Only need to do it ONCE. Then anyone else can copycat. Perhaps state-level hackware can be copied.
2. High-value targets. If they're behind this much lock and key, they're likely to have secrets.
The impression I get is that it's not a problem of dodgy sites. All sorts of 'respectable' sites seem to get hit, often either through malware 3rd party ads (Marks and Sparks?), or hacking of Wordpress (and other) sites (Jamie Oliver?).
At least one report has suggested that 'dodgy' (read 'smutty') sites are often actually safer - they have a serious vested interest in keeping you happy so you'll come back and give them more money.
Considering how easy it is to spin up a website nowadays, and considering this TED talk warning people of their filter bubble from March 2011 https://www.ted.com/talks/eli_pariser_beware_online_filter_bubbles and considering the level of surveillance there is when you combine the advert tracking which deliver viruses & other malicious software often zero day types, you really dont know what are dodgy sites now a days.
Some of the things I've caught is the TalkTalk tv box trying to access windows 7 desktop, and sites like DailyMail.co.uk & Akamai networks being blocked by Snort for the data they have been delivering. If it wasnt for the vlans & firewall setup I've had at home I wouldnt have caught this stuff. Attacking home devices to gain access to work networks is a valid attack vector especially if you provide support to other companies is not beyond the realms of possibility.
Even running from a Linux live CD, I recently heard a laptop emitting a funny noise similar to the old dialup modem handshake which wouldnt have been picked up in a room with normal noise levels, but would have been picked up by microphones in nearby devices.
In fact one hack I discovered last night, appears to target CD roms, causing it to not read from genuine media but does boot from fake media printed to look like Dell Windows CD's. The fake Dell CD's will install on any non Dell computer, the genuine Dell media will not install on non-Dell devices. If you do a diagnostic on the Dell optical drive it throws an errorcode 0152 incorrect status 1A Error Registration 0020h but only when you run diagnostics on the device. Thats your only clue.
Bottom line is, you cant trust any of your tech and unless you log everything and have disposable servers handling your encrypted internet traffic for things like email servers or serving webpages, and then pull that back to your internal main servers unencrypted whilst logging it and acket inspect it, you have zero chance of spotting some hacks considering the resources some entities have.
I agree - I'm in IT support, and part of my work is having to assume remote control of computers. Direct them to logmein123.com, they fail half the time (all users are not created equally) and end up on malicious sites, most of the time found in Google's own search results, and I've even had a user get two separate dodgy infections in the course of me trying to direct them to the correct website.
There is so much more that could be done but I suspect Google enjoys the ad revenue.
I would be fully unsurprised if Browser-producing Seach-Engine-Owning companies were to announce they want to use users' internet connections to crawl pages every now and then, to prevent just that. Democrasearch 2.0 (TM), too bad it's too late to hype this with "peer-to-peer", we need to involve the blockchain somehow.
A site directed me to something via an AdFly link. Avast! freaked out and caught two attempts to push malware at me. I had granted AdFly script permissions as it doesn't work otherwise. Great. I will run the next attempt with web console open, see if I can figure out how to get at the link directly.
Cue an article by Andrew on advertisers pissing and moaning about how nobody likes them...
"It could be the ads on the website that have been flagged as suspicious by us and that changes every time you access the site," Morgenstern explained. "Or the website is delivering different content randomly or it does so by checking the user agent or location of the user.
Having found a suspicious link they didn't test further?
NoScript and AdBlock+ are now essentials for sane use of the internet.
I do not have Flash in any browser that I use - and as I cannot remove it from Edge I have blocked Edge (and IE and Cortana) from any internet access using the program control feature of Norton Firewall.
If an ordinary site is unusable with Noscript or AdBlock+ then I remove it from the sites that I visit.
"If an ordinary site is unusable with Noscript or AdBlock+ then I remove it from the sites that I visit."
And if it's the ONE AND ONLY source of something you need? Like your device company's website and the ONLY source for official drivers (it's hard to trust anyone else now since they can inject their copies)?
Should have done your browsing from a bootable Linux CD on Linux.
Sure, you can say there are a lot of malicious links, but the study doesn't bring up whether or not they cut off research after the first 2 or 3 pages of links.
I can do a search on some really simple things and come up with 10,000+ links. Obviously, I'm not going to look at this much, so lets use some granular techniques to bring this number down, and not use all 10,000. Which of course, will cause the number of malicious links on a search way down.
Common sense, and proper research techniques please.
Now project these problems to the IOT, Cloud Computing, and the amazingly large percentage of the IT community that believe the myth of unlimited bandwidth. It will not end well for anyone.
The commenters alluding to hardware security measures are on the right track. My understanding is that strong security features still incorporated in microprocessors, but that for commercial profit they are not used. My gut feeling is that information technology, as currently used and being deployed simply cannot be practically secured.
In simplistic terms, I can't secure things for things that I can't see and over which I have no control.
Unfortunately, as the following example shows, securing them is my legal responsibility.
Like a few hundred million or so people on the planet, I connect to the internet through a satellite ISP--that is, to say a metered, connection. (The fact that I had two systems connected through an Ethernet connection is a separate problem in its own right.)
During the few days or so that Microsoft's Windows 10 Anniversary update and subsequent patches downloaded, we burned through 15 GBytes of data usage, resulting in restricted access and more than doubling our monthly bill.
Here in italics is the response I got from the ISP.
. . . it's the customers responsibility for having a secured network and with what the data is used on. We provide plenty of information on our website to help with tips, but when it comes down to it, it's up to the customer how the data is consumed.
Me: Again, nonsense. When we selected the service and technologies we had the ability to do that.
Me: Subsequent changes and updates have eliminated the users ability to manage their systems.
Support Response: It's not nonsense. It's in your customer agreement that you have with [Company Name Deleted] I would suggest reading it at http://www.[deleted].com/legal
I deleted the company name. In fairness, they shouldn't be singled out for what, as near as I can tell, is a universal practice in the IT sector--Coercing acceptance of unilateral Terms and Conditions that effectively appropriate egregious rights to use of their customers' intellectual property (information) while relieving the IT providers of all legal responsibility for anything.
The problem is that bandwidth is NOT, wishful thinking to the contrary, unlimited. That's why, if you read the fine print, providers spec data transfer rates in terms of "up to" some limit. In the case of metered connections, the consequences of exceeding limits can be draconian, in dollar costs and in degraded or in some cases, suspended, connectivity.
The user has to choose between maintaining real-time security and maintaining acceptable service at a reasonable cost. (My ISP does provide an unmetered period, if I am willing to stay up until midnight every night and change the settings on all my devices. I consider that personal cost unreasonable.)
It is simply impossible to secure an internetworked system under these conditions. Promoting the pretext that it can is irresponsible and dangerous. Saddling the user with the responsibility may be legal, but it is morally reprehensible. The results are likely to be catastrophic.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
