Malware, antivirus, and safe downloads

Malware, viruses, worms, adware - whatever you call them, you don't want them on your computer. But how do you keep them away? We take a look at the surprisingly involved process of downloading software from a trustworthy source, as well as the history of why desktop OSes are so vulnerable. Also, Liz talks Geoffrey out of running for office in Japan.

Malware, antivirus, and safe downloads episode art

Timeline

  • 1:30 - Security news: BitLocker full disk encryption isn't always implemented correctly
  • 3:39 - Security news: some internet traffic that should have gone to Google services didn't due to Border Gateway Protocol hijacking
  • 6:54 - Security news: "universal fingerprints" fool smartphone grade fingerprint technology over 1 in every 5 times
  • 7:47 - Security news: new Spectre and Meltdown variations
  • 8:45 - Security news: private messages from 81,000 Facebook accounts for sale on a web forum that Facebook believes were gathered from a malicious browser extension
  • 10:33 - History of desktop OS security
  • 14:48 - App stores
  • 17:31 - Safe downloads
  • 19:58 - Suspicious permission prompts
  • 23:26 - Admin access
  • 26:10 - Downloaded file warnings, ZIP files, and USB drives
  • 28:54 - Office macros
  • 29:54 - Antivirus

Show notes & further reading

BitLocker vulnerability

As we discuss in the episode, researchers at Radboud University recently found that many hard drives' built-in encryption works poorly - and that BitLocker in Windows 10 defaults to trusting hard drives that offer to encrypt your data, instead of using its own reliable software encryption.

Microsoft has released a security advisory about this issue. They suggest the following steps to see if you're affected:

  • Open a command prompt with administrator permissions. You can do this by pressing Win-X and selecting "Command Prompt (Admin)", or finding Command Prompt in the Start Menu, right-clicking it, and selecting "Run as administrator."
  • Type in your password. (As we note in the show, you should be very careful whenever you see this prompt - so please don't take our word you should be allowing admin access; confirm that Microsoft's own guidance tells you to use an "elevated command prompt".)
  • Type in manage-bde.exe -status and press enter.
  • See if any drives say "Encryption Method: Hardware Encryption," or if they list some other method like "XTS-AES 128" (a software encryption method).

If any of them list "Hardware Encryption," then, depending on the model of the drive, your data is probably not meaningfully encrypted, so you should plan to be a more careful about risking other people having physical access to your computer.

Fixing the problem requires using the "Group Policy" tool to force software encryption, and then disabling and re-enabling BitLocker. Users of Windows Pro or a higher edition can use the built-in Group Policy Editor:

  • At the administrator command prompt, type in "gpedit.msc". (Or press Win-R, type in "gpedit.msc" and press OK, and type in your administrator password again.)
  • In the hierarchy at the left, navigate to "Local Computer Policy," then "Computer Configuration," "Administrative Templates," "Windows Components," and finally "BitLocker Drive Encryption."
  • There should be three folders inside it, "Fixed Data Drives," "Operating System Drives", and "Removable Data Drives".
  • Inside each of these folder, find the setting starting "Configure use of hardware-based encryption," double-click on it, and set it to "Disabled."
  • Exit the Group Policy Editor and close the administrator command prompt.
  • Go back to the BitLocker control panel, disable BitLocker, and re-enable it.

Unfortunately, Group Policy is not available by default on the Home edition of Windows. As it happens, most Windows 10 Home users are unaffected because the Home edition doesn't officially support BitLocker either - but the software is the same and some PC manufacturers appear to ship Windows 10 Home machines with "device encryption" enabled, which appears to be the same code as BitLocker under the hood (just without the UI). It's not clear to us whether "device encryption" would be affected by the hardware-encryption vulnerabilities. Still, we'll update this post with instructions on how to use Group Policy on Windows 10 Home, once we either find or write a good set of instructions that don't depend on installing random ZIP files or running undocumented batch scripts with admin permissions.

In the meantime, our advice for Windows 10 Home users interested in device encryption is to pay the $99 to upgrade to Windows 10 Pro - while it's pricey, it gets you a reliable way to configure disk encryption and other settings properly.

Antivirus

Motherboard's recent article about antivirus is a good place to start - although we disagree with the "it can't hurt" logic. In particular, we're generally not fans of antivirus / web security software that relies on intercepting HTTPS connections in order to scan for malware inside the encrypted connection: such software has a poor track record of maintaining the security of those connections. For instance, in December 2016, Kaspersky's antivirus product did not reliably track which HTTPS certificates it was replacing, allowing attackers to trick Kaspersky's interception code into making their site look like it had a valid certificate for their target. Browser developers regularly find that antivirus both impairs their own code's performance and weakens new security mechanisms: Ars Technica covered complaints last year from a former Firefox developer and from Chrome's security lead, and links to their analyses as well as dozens of serious vulnerabilities introduced by antivirus software. Ars concludes that you should instead "practice skeptical computing," including keeping your software up to date and using two-factor authentication - both of which we wholeheartedly endorse. You might choose to run antivirus as well, depending on how much of your work involves downloading software or sharing files with people, but research your options and find something that will help and not hurt.

In the news

The Spectre and Meltdown attacks take advantage of two processor optimizations, "speculative execution" and "out-of-order execution". Essentially, the CPU looks ahead in the code it's running, decides that some operation is likely to happen - such as retrieving a value from memory or doing an arithmetic computation - and starts to process it even before it's determined whether it will happen. If not, it discards the result of the operation. Unfortunately, if the condition for whether the code should run is a security check for whether code is permitted to retrieve that value, the mere fact that the operation ran has side effects like changing the amount of time the CPU used or what values are cached, even if code isn't allowed to see the direct result.

This is a difficult vulnerability because CPUs generally rely on optimizations like speculative execution for performance. Modern CPUs have multiple arithmetic units per processor core, run much faster than the speed of a memory access, etc., so CPUs usually need to reorder their work in order to keep the entire processor used. A team of researchers systematically investigated these sorts of behavior, including speculative execution and out-of-order execution, and found seven new types of attacks.

Expect mitigations for these new attacks to come out soon. In many cases, the mitigations will require preventing processor optimizations from taking effect when the CPU starts or stops running untrusted code. They'll likely have less effect on use cases like video games, where you're running one application for blocks of time, and more effect on use cases like running JavaScript from lots of different websites - keeping multiple tabs running is likely to use both more CPU time and more memory in order to keep websites properly isolated from each other.

Transcript

Geoffrey Thomas (GT): Liz! I got some fantastic internet security news to share with our listeners!

Liz Denys (LD): We're not at that part of the episode yet, Geoffrey, and I thought we already discussed what to put in the news. What is it?

GT: The Japanese minister in charge of cybersecurity has seemingly never used a computer, according to an AP report.

LD: Well, uh, to be fair that probably makes him the most cyber-secure government minister on the planet. He'll certainly never deal with ransomware or malware!

GT: So he's not solely in a cybersecurity role; it just happens to be one of things in his portfolio, along with the 2020 Winter Olympics. And he says he's got aides who know what they're doing. But he did get some questions about risks to power grid infrastructure from USB drives, and he seemed to think that USB drives were "basically never used." And it wasn't clear he understood what USB was.

LD: Okay, that's a much more concerning position. Stay tuned for this episode of Loose Leaf Security, and you'll know more about the risks of malicious USB drives than Japan's cybersecurity minister.

GT: We'll also talk about how to avoid malware in more practical ways than just never using a computer!

Intro music plays.

LD: Hello and welcome to Loose Leaf Security! I'm Liz Denys,

GT: and I'm Geoffrey Thomas, and we're your hosts.

LD: Loose Leaf Security is a show about making good computer security practice for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe.

GT: In every episode, we tackle a typical security concern or walk you through a recent incident.

Intro music fades out.

LD: So remember two episodes ago when we encouraged you to use BitLocker for full disk encryption? Turns out that might not be as strong as you'd think.

GT: Researchers from Radboud University in the Netherlands decided to investigate hardware disk encryption, a feature of some brands of hard disks where the disk itself handles encryption, and it turns out many disks are just not very good at it.

LD: For instance, one disk encrypts its contents and asks for a password to decrypt, but there's no relationship between the password and the encryption. It just checks the password and uses a totally unrelated encryption key - so someone with a very basic electronics kit can attach to the drive and tell it that the password is right, and it will just decrypt the drive.

GT: The worst part is, BitLocker in Windows 10 defaults to trusting drives that say they have their own hardware encryption, instead of doing its own encryption in software that works the same on each drive. So even if you enable BitLocker on one of these disks, Windows won't do any encryption of its own.

LD: It's not clear why Microsoft chose to do this - perhaps for performance, or perhaps because they had marketing agreements with hard drive vendors that Windows would make use of these features. But they've released some guidance on the problem, once it was clear that many hard drive vendors did not do a good job at encryption.

GT: There's a fairly easy way to check whether you're affected - you've got to type one command into a Windows prompt. We'll include the command in the show notes.

LD: Unfortunately for Windows Home users, there isn't an easy way to force BitLocker to use software encryption. You have to use something called "Group Policy," a tool for IT departments to configure groups of computers, and that isn't installed on the Home edition.

GT: There are varying instructions on the web about how to enable it and none of them are very great. One of them suggests downloading a zip file of Group Policy from the Enterprise edition from someone's DeviantArt account.

LD: Wow, DeviantArt, the fan art site? Definitely not what I would think of as a trustworthy place for software distribution.

GT: We haven't found any instructions we really like, but we'll keep looking - or we'll write something up ourselves if we can't find anything clear and safe. Once we have something to recommend, we'll update the show notes for this episode, and we'll also send out the link on social media.

LD: For now, run the command to check whether you're affected and be careful about your laptop if you are.

GT: Last Monday, some internet traffic that should have gone to Google services, including to their cloud computing platform, ended up routed through China and Russia instead. This happened as a result of possibly intentional, possibly accidental Border Gateway Protocol hijacking, which is when a group of IP addresses are illegitimately declared to be originated by an entity that doesn't actually originate them, and then, this propagates through internet routing tables.

LD: When you load a webpage or try to connect to a server somewhere else on the internet, your computer generally doesn't connect directly to the server because your computer doesn't have a direct connection to every other computer out there. Instead, your request is sent over a network of routing servers that look at your request and route you to the right place.

GT: Each of these routing servers knows where to send you because they're subscribed to the internet's routing tables. Organizations that own many IP addresses, like Internet Service Providers, infrastructure providers like Google, Amazon, and other large companies, and many universities, populate these routing tables by using the Border Gateway Protocol, BGP for short, to say they originate the IP addresses they own, and the routing tables will tell routing servers to direct requests for their IP addresses to them.

LD: In this incident, a Nigerian Internet Service Provider, Main One, says they made a configuration error that said they originated some of Google's IP addresses even though they don't.

GT: A spokesperson for Main One said their engineers accidentally rerouted some Google traffic to China Telecom which then routed to Russia's TransTelecom, so traffic for one of the affected Google services would just end up getting lost. If you tried to go to one of the affected Google websites while this was happening, you'd likely just get a timeout error.

LD: Google stated they don't believe there was foul play involved, but if someone was using this sort of BGP hijacking as a way to serve incorrect data instead of just deny a route, you might be served a different page than the one you requested. This actually happened recently with an online cryptocurrency wallet, and people who ignored unsigned SSL certificate warnings and visited the imposter page had their cryptocurrency wallets emptied.

GT: It's really important to use the secure, encrypted HTTPS protocol so that you see warnings for changed certificates, and also that you think twice before clicking through them. The Washington Post reports that 94 percent of requests to Google services are over encrypted connections, and if, like those 94 percent of requests, you're using the secure HTTPS protocol, then you'd see a certificate mismatch error, pause, wait until tomorrow to try the website, and would dodge such a BGP hijacking attack.

LD: Well, not so fast. HTTPS would protect you if BGP hijacking was the only component of this hypothetical attack, but it might not protect you if the attacker also obtained valid certificates from a Certificate Authority that is topologically close to where they're propagating the bad information into the routing tables. Our browsers intrinsically trust Certificate Authorities, as we discussed in our episode "Keeping your web browsing private," so it's possible that with the right route, you could get the attacker's certificate before the real one and unless you knew which Certificate Authority to expect, probably wouldn't notice. This is a rather sophisticated attack that is beyond the scope of this podcast, and since this more sophisticated attack would affect you whether you were using the unsecured HTTP protocol or the secure HTTPS protocol, you should still be using HTTPS.

GT: Security researchers at NYU and the University of Michigan published a paper about a neat way to trick fingerprint sensors like the ones in many smartphones into unlocking, even if you don't have the right fingerprint.

LD: The fingerprint sensors in smartphones are generally expected to have false positives 1 out of every 1000 times, but these researchers made "universal fingerprints" that were able to fool fingerprint sensors with smartphone grade technology over 1 in every 5 times.

GT: As we mentioned in our episode "Securing your phone," Touch ID and other fingerprint-based unlocking mechanisms are already weaker if someone gets your phone while you're asleep or something, but this sort of attack means a thief might get access to your data without needing you to unlock it at all.

LD: If you're worried about your phone getting stolen or your losing your phone and someone getting access with an attack like this or any of the other vulnerabilities of fingerprint logins, you can always use a long passcode instead.

GT: Earlier this year, researchers discovered two major security flaws in modern processors: Spectre and Meltdown. A research team that included many of the original researchers behind these two attacks discovered seven new variants of these processor attacks.

LD: These attacks exploit a CPU optimization known as speculative execution to reveal sensitive data. Since the attacks from earlier this year affected most modern CPUs, most devices could be affected, and operating systems rolled out patches to fix it.

GT: These patches essentially limit speculative execution so it's possible your computer slows down a bit after taking them, but you might not really have noticed unless you were pushing your CPU to its limits in specific ways, which most folks probably aren't outside of leaving lots and lots of tabs open in their internet browsers.

LD: If that's you, you might want to close those tabs save them to bookmarks so you don't see a slowdown. Also, everyone should expect to see more patches to mitigate the effects of the newer variants, and make sure you're keeping on top of those software updates.

GT: The BBC Russian Service found private messages from 81,000 Facebook accounts for sale on a web forum. According to Facebook, the data seems to have been taken from a malicious browser extension.

LD: The seller was actually offering data from over a quarter million accounts, for ten cents an account. The BBC worked with a security company to confirm the data, and found that 81,000 definitely had private information like chat messages included.

GT: Facebook didn't give details, but they say that they determined the attack was not a vulnerability in Facebook itself but a malicious extension that was monitoring people's activity on Facebook.

LD: As we mentioned in our series on web security, while web pages are isolated from each other, extensions are allowed to request access to specific websites or even all websites if that's needed to do their job. For instance, there are extensions that enhance the UI of certain websites which only need access to those certain websites, and there are also extensions like password managers and grammar checkers that would want access to every website. But you should only install extensions that requests access to websites if it seems trustworthy - something like a game or an extension from an unknown developer shouldn't have this kind of access.

GT: Web browsers do ask you for permission before giving an extension access - your browser will say "This extension wants to read and modify data on facebook.com" or "This extension wants to read and modify data on all websites." - so you can pay attention to those prompts. Unfortunately, regular desktop software generally doesn't have any prompts like that, and has access to not only all the data for websites you visit but also everything else on your computer.

LD: That's the main subject of today's episode. We'll get to how you can protect yourself from malicious software after a quick break.

Interlude music plays.

GT: In past episodes, we've talked about the security models of cell phones and web browsers. Unfortunately, we're now talking about desktop operating systems, OSes for short, which have the worst model of any common computing platform today.

LD: The fundamental assumption is that any software you run has complete access to your user account. Software doesn't have to say up front what it needs access to: it can just get to any files it tries to access when it wants it.

GT: There's a reason for this - desktop and laptop computers today have a direct lineage to the desktop computers of twenty to thirty years ago. When people were designing how low-cost personal computers would work, the idea was that you'd buy some software in a shrink-wrapped box from the store, so why would you need to restrict what it does?

LD: It wasn't that nobody knew how to build secure OSes. Back in the 1960s, a multi-user system called Multics pioneered many of the security techniques used in building secure software today, like access control and specialized hardware support. It was just that people thought you didn't need them for a single-user machine at home or on an office desk.

GT: Which, of course, changed very quickly once people started sharing floppy disks and using modems to connect to other computers. Now there was a path between computers that didn't trust each other, and there were no protections against software that wanted to do something malicious.

LD: This is when the first viruses showed up - software that would infect other software and cause it to do something unwanted and also spread the infection. You'd download an infected program, and it would infect all the other software on your computer. Then when you shared a program with your friends by floppy disk, they'd get the virus too.

GT: As the internet grew, we also got worms, software that could spread on its own. Typically it would look for a security vulnerability in some software accepting connections from the internet, and spread that way, much like a virus.

LD: And then you've got more recent phenomena like software that encrypts your files and holds them for ransom or software that injects unwanted ads all over the place, because people found they could use these techniques to make money and not just annoy people. All these types of malicious software are generally referred to as malware.

GT: Desktop OSes were never designed to put meaningful constraints on what software could do, so malware has access to your PC just as much as any of your legitimate applications. And even legitimate applications sometimes have security holes that let corrupt files take control of the application - and once an application has been exploited, the malicious code has full access to your computer, because applications were designed to have full access to your computer.

LD: And, unfortunately, there has never been a good opportunity to redesign desktop OS security. A couple of companies tried to build radically different designs for operating systems, but everyone wanted to know, is my old software going to work? And all that old software was written to just access all files, with no concept of asking for permission or using its own private storage or anything.

GT: It took the rise of web and mobile platforms to have an opportunity to do something different - and those had to wait until we had enough computing power to put, basically, a Multics-style multi-user access control layer inside a regular desktop application, or inside your pocket.

LD: If you're using Google Docs, for instance, you expect that it's not going to have access to all your files, that you would need to specifically upload and download things from your computer, and that it comes with its own storage that's on the website and not on your computer at all.

GT: Or if you want to email someone a presentation from your tablet or phone, you'd go into the slide editor app and press share by email and the OS will send it to your email app to use. In a desktop email client, you'd go straight into the email client and tell it to attach your presentation, because your email app can just open any of your files. On mobile, your email app only has access to those files that have been shared with it.

LD: So, this is a bit of a cop-out, but one of the best ways to be secure is to use the web platform or a mobile device like your smartphone or a tablet instead of a normal desktop computer. If you're a writer and you're happy using a tablet and a keyboard, where you can only get new apps from its app store, that's going to be a lot easier to keep secure than a full-featured desktop computer where any website can download software.

GT: I mean, I think that's actually a perfectly reasonable recommendation. If there's any way you can use a website instead of downloading some software, do that. Having a weather widget on your desktop background is neat, but it's way, way safer to just open your favorite weather forecasting website.

LD: Or even get a web browser extension that puts a weather forecast on the new tab page. Just make sure that extension doesn't ask for more access than it needs.

GT: Around 2011, both Microsoft and Apple announced app stores for the desktop that worked very similar to mobile apps stores: apps were sandboxed and the OS restricted what they could do. Microsoft's version is based on what they call the Universal Windows Platform - the same app run on Windows desktop and also on Windows Mobile phones and tablets. The Mac's version wasn't based on iOS but clearly inspired by it: apps needed to go through the OS to open files and were otherwise restricted to their own space.

LD: Several popular apps either experimented with these app stores and pulled away, or never tried it in the first place. BBEdit, a popular text editor for web developers and other programmers, had a restricted version on the Mac App Store and eventually removed their app store version entirely. They usually have a file browser pane, which couldn't work with the app store's restrictions. On Windows, Microsoft doesn't allow alternative web browsers. Chrome tried having an an installer - basically a trustworthy way to find the link to get Chrome - but Microsoft ended up removing it.

GT: So again it turned out that people wanted their old apps to work on desktop. Still, for apps that are available through this app store, it's much safer to use them that way if you can. This isn't to say that everything on the store is safe and you should install it all, just that if you're going to get an app, getting it from the store is a better choice.

LD: Apple is working on changing how their app store works: they're relaxing some of the sandboxing restrictions for a new scheme called "notarized apps," where app developers have to send a copy of each version of an app, each new executable file, to Apple. Apple will scan the file for malware and send back a digital signature attesting that they've seen the app. That way, instead of putting restrictions on how apps work, they can put restrictions on which apps can run - and they can investigate and block apps that turn out to be malicious.

GT: They did a big event earlier this year where some of the apps that were famous for not being on the App Store, like BBEdit, Adobe Lightroom, and Office 365 all seemed on board. However, those apps don't actually seem to be on the App Store quite yet, so it looks like this is a work in progress.

LD: By the way, for the Linux users in our audience, don't get smug - all of this applies to you too. Linux distros have basically had the app store model for years: the standard and trustworthy way to get software is from the people who make your OS. But if you're downloading things from other websites, you're as much at risk of malware as Windows and Mac users. You might be less of a target for generic malware, but your OS is still probably running all your apps in the same user account.

GT: So, since you're probably going to be getting some software from places other than the OS vendor's app store, how do you do that in as secure a way as possible?

LD: That's a big topic, and we'll get to it after a quick break.

Interlude music plays.

LD: If you're getting a piece of software online, make sure you're using the secure HTTPS protocol, that you're not getting certificate mismatch errors, and double check that you're on the right website: the right website is the website for the developer of that piece of software. You want to avoid purchasing or getting it through third-party download sites. Third party sites might include extra software you don't need, and even if their certificates and such are in good order and they don't seem shady, it's harder to know that you're getting what the developer intended.

GT: An application developer can generally make sure their software is uploaded intact to their own website. With a third-party download site, there's more opportunities for someone to sneak something unwanted into the app, or for someone to pretend to be the developer, or something.

LD: If the developer's site sends you to a different site for the download, that's fine - that's still safer than going to a third party site directly and getting it from there. If you're using a secure HTTPS connection to the developer's site and your browser shows the certificate as valid, you can be pretty confident you're getting to the canonical place the software developer wants you to be getting their software from. Unless you've gotten that really nasty and unlikely Border Gateway Protocol attack combined with obtaining a certificate from a nearby CA like I mentioned in the news section.

GT: Yeah... that seems pretty unlikely, though. The other primary way to stay safe is to pay attention to alerts the OS gives you about untrusted apps. For the last several years, both Windows and macOS have supported a way for application authors to digitally sign their apps. Microsoft calls their system Authenticode, and Apple calls theirs Gatekeeper, but it's basically the same idea. These systems are similar to certificates for websites - the application developer gets a certificate from a trusted certificate authority. But unlike most web certificates, these certificates attest to the legal identity of the person or the business who developed the app.

LD: When you download an app from the internet, both Windows and macOS will check whether it's signed. They'll either prompt you or tell you to go into your system settings if you try to run an unsigned app. In general, you should only run apps that are properly signed and display the publisher name that you expect.

GT: If you think you downloaded Photoshop by Adobe and you got a prompt to run Photoshop by Awesome Downloads Dot Cool, maybe you should click no and try getting it from somewhere else.

LD: There are occasionally legitimate reasons to run unsigned software - for instance, if there's software from a small developer you trust, you might know that they don't have a signing certificate set up. But in that case you should be extra sure that you got the software in a trusted way; in general you should be suspicious if you're ever prompted to run software that isn't signed.

GT: You should be extremely suspicious of any pop-ups that ask "do you trust this app" when you're not trying to run an app. You should usually only see this once, when you initially install a piece of new software and then never again.

LD: There are a couple exceptions, but they usually come at obvious times. When you upgrade your OS, the OS might change how permissions work, and you might need to grant it the new style permissions. Dropbox users on Macs saw something like this when upgrading to Mojave recently.

GT: Unlike with phone and tablet apps, desktop apps typically ask for permissions when they're installed.

LD: Though, occasionally, software won't ask for the permission until it figures out it needs it. That same Dropbox change on Mojave does something like this when it detects you've made changes to Microsoft Office documents for the first time, and this is a pretty uncommon behavior. If I saw a request like this, I'd look into the developer's documentation to see if that's expected.

GT: Yeah, if you just search for "Dropbox automation mac" you might get sent to Quora or StackOverflow or some other random help forum online. Even though a lot of people there are trying to be really helpful, there might be a malicious Dropbox lookalike going around, so the fact that other people are seeing this doesn't necessarily mean it's what you should be seeing. Because Dropbox talks about this on their own help pages, you can be more confident that this is expected behavior.

LD: You should also be careful to make sure that when you're asked "do you trust this app" that you're actually opening an app. If you're just opening what should be a normal file that shouldn't be installing anything like a pdf or an image or whatever, you should never be getting this prompt.

GT: That's a big red flag for malware. This means it's not actually a normal file but an app pretending to be a normal file. Because desktop OSes weren't designed to be paranoid, double-clicking is all you need to do to both open a document or run a program, and your OS won't differentiate between these actions in any way.

LD: If you do see that "do you trust this app" question for what you thought should be a file, don't trust it, delete it, and make sure it's permanently deleted by emptying out your trash.

GT: It's not that it will do any harm by sitting there - it's just that there's a danger you might forget that it's malicious and click on it later.

LD: As much as I love independent developers and projects, for security purposes, you often want to avoid apps from small or new developers unless you have a specific reason to trust and use their app over similar, more popular apps made by bigger companies. Examples of specific reasons to trust an indie app include if it's software from someone you know personally to be trustworthy or through a trustworthy community. Or maybe it's software from an indie because it's a really niche product, but you've found out that the community around that niche has vetted it thoroughly.

GT: People trying to ship you malware often try to get their bad software out into the world through as many avenues as possible, so that any one of them getting marked as malware or deleted won't stop their infections from spreading, so it's often hard to tell the difference between malicious programs targeted at a smaller audience and programs from indie developers that genuinely mean well. One of the cases I actually feel a little bit uncomfortable about is indie games because it's pretty common to get games from the indie developer's website directly, but it could look indistinguishable from someone who's trying to spread malware. So I actually do appreciate third-party platforms for game distribution for this specific reason, which is that you have some amount of accountability for the authors of the app, even if it's a very small group that's publishing the app.

LD: Also, having a smaller user-base means their programs don't get the same sorts of scrutiny from security researchers and the media and also probably means that they don't have the same dedicated security team resources as larger software companies have available to them.

GT: Just like with your phones and tablets, you want to avoid apps that ask for more access than they need. If an app asks you for admin access without good reason, which honestly very little actually needs admin access outside of device drivers, you should consider carefully whether you want to use this software or find an alternative.

LD: The mixer we're using for recording this podcast is a pretty good example of when something might need admin access. It turns out my computer could already interface with it so I didn't need to install a driver, but a mixer is a pretty specific hardware device, so it wouldn't have been surprising if it did need a driver and installing that driver did need admin access.

GT: If you're looking at competing hardware products that do the same sorts of things, some of them might require different levels of access in order to get them to work with your computer. Some might require drivers, and some won't.

LD: Yeah, we considered a lot of different things when I picked out a mixer to buy, but one of the factors for choosing the one we did was that it was unlikely to need me to install drivers and could work right out of the box.

GT: Anyway, while OS's don't do a lot of separation between different programs, one thing they are pretty good at insulating is the core operating system from other, normal programs. If something asks for admin access, it's asking for access to things like the kernel, the drivers, and the early system code that is used to boot up your computer, and unless you're intentionally installing something that needs admin access to do its job - maybe it's a driver itself, and you know that it's coming from a trustworthy source - anything asking for admin access should be a big red flag.

LD: If you grant a program admin access, it's a lot harder to unhook it later. Since it won't just be limited to non-privileged parts of your hard drive and the operating system, it's going to be a lot harder for your OS or you to find all the things it's touched and revert or delete them if you ever want to uninstall it.

GT: Sometimes, software will come bundled with hardware, like if you got a fancy MIDI controller and it came with Ableton. This is generally a pretty trustworthy way to get software like Ableton.

LD: Yeah, that's not just because it's bundled with hardware but also because Ableton is a well-known, professionally respected application that you'd expect to use with a fancy MIDI controller.

GT: Right, not all software bundled with hardware is trustworthy though. If you got a webcam and it came with Joe Schmoe's Neat Special Effects App, you probably want to be suspicious of it because Joe Schmoe's App is just some random piece of software that isn't well-vetted and also doesn't specifically relate to using a webcam.

LD: Or maybe your new cheap gaming keyboard from China has a "Cloud Driver," and that's pretty suspicious - keyboards don't need drivers these days to interface with your computers, and keyboards certainly don't need any "Cloud Drivers" because your keyboard isn't a cloud device.

GT: Unless it's sending all your keystrokes to the cloud!

LD: You definitely don't want that!

GT: So there's a couple more cases where your OS will prompt you about what you're about to do, and this is your second line of defense in keeping your computer safe, right after not downloading weird stuff in the first place.

LD: Keeping track of those downloads is actually a big one. In addition to checking digital signatures, both macOS and Windows attempt to track downloaded programs and show you a prompt saying, "Hey, you downloaded this from the Internet, are you sure you want to run it?" Usually they'll also show what website it came from. If this shows up at an unexpected time or the website looks wrong, you should probably say no and try to retrace what happened.

GT: Although this isn't foolproof: the OS can track direct downloads, but it requires your web browser to mark the file as a download, and the OS is also less likely to find downloaded files that took a longer path to get to your computer.

LD: For instance, if you decompressed it from a ZIP archive or something, your OS might not track that a file came from an archive that came from the internet. This was why I was weirded out by the DeviantArt download site earlier - while it totally makes sense that a ZIP file is a convenient way to distribute programs, it's also a common way to smuggle something past one of your OS's checkpoints.

GT: Another case where the OS can't help you is USB drives. If you open a file on a USB drive, your OS has no idea where it came from before that. Maybe you made the file on another computer, and it's trustworthy. Maybe you downloaded it. Maybe someone else shipped you the drive and you've never seen it before and you're plugging it in to see what's on it.

LD: A friend actually mentioned to me that their most recent home insurance policy came as a USB drive in the mail, which is pretty suspicious to me! Maybe it was the home insurance policy, but maybe it was just some attacker pretending it was a home insurance policy and it came with malware instead.

GT: Yeah, I would honestly push back on that and tell my home insurance company that they need to not send me USB drives in the mail.

LD: Yeah, it would be a lot safer if they gave you a direct download from their secure site over HTTPS or something instead. Because of the old compatibility problem, OSes can't be too restrictive about what you do with USB drives. They got rid of an old feature where it would literally run a program automatically, which was super dangerous, but they can't mark files as untrusted because you might be using them for regular work.

GT: And people plugging in USB drives just to see what's on them is very common. Please, don't do that. If you see a USB drive in the parking lot at your office, don't plug it in and start clicking things. At least give it to your IT department to investigate on an offline computer. Planting USB drives is a surprisingly effective way of breaking into companies' internal networks.

LD: Another risk is you don't actually know if it's a USB drive or not. If you've ever seen a security key, they're about the same shape and actually smaller, and one of the modes is that they work like a keyboard to type in a one-time password. A USB device can be anything; it doesn't have to be what it looks like.

GT: We'll talk about these attacks in more detail in our next episode, but you already know more than enough about the risks of USB drives to be the Japanese minister of cybersecurity. Congratulations!

LD: All right, there's one last case about security prompts that we should talk about. Microsoft Office has a feature called "macros," which are essentially little programs that do cool things with your document. They can fetch data and process it, or give you buttons to automate common things, or mess with the files on your computer.

GT: If a document has macros, Office will prompt you before you open it - and you should be very confident about why exactly it needs macros before you click yes.

LD: This is probably going to be because you're working with someone you trust. There aren't any really good cases for documents with macros being distributed widely or through the internet - regular formulas in spreadsheets aren't macros, and things like programmable forms can be done more safely with websites.

GT: One of my coworkers actually has an Excel spreadsheet with macros that he uses to download the latest status of a big project. I enable macros for that spreadsheet, because I trust my coworker and he's told me in person that the document needs macros, and I'm confident that I got the spreadsheet directly from him. I can't remember having any previous legitimate use for macros - they're pretty rare.

LD: So one question you might ask at this point is, isn't this what antivirus software is for - finding malicious software and preventing it from running.

GT: Hey, Liz, should I run antivirus software to protect myself?

LD: Great question, Geoffrey! But unfortunately, answer isn't very clear - especially these days now that there improvements the OS like signed software and app stores, the benefit is lower.

GT: Motherboard actually had an interesting article about this last week - they ended up interviewing antivirus industry folks, so you might say it's biased in favor of yes, but they still ended up at "it depends." We'll link to their analysis in the show notes.

LD: The idea of antivirus is that it constantly scans the files you use to see if they're malicious. But it's very hard to know for sure if an executable is malicious: in general antivirus tends to be reactive, only catching types of attacks that they've seen before. And depending on what you do, it can have false positives, because it doesn't know if there's some legitimate reason you have an application that's doing something unusual to your system.

GT: The bigger problem is that antivirus software tends to run with driver-level access because it needs to be able to intercept all file access. And so any bug in antivirus code can potentially give an attacker driver-level control of your computer. Motherboard thinks that this is particularly risky for people who might be targeted by government intelligence agencies, but I think it's a lot more general than that - some of the weird things that antivirus software has done have been easily exploitable to even casual attackers.

LD: Basically, if you're going to ignore this entire episode and download things from weird places on the internet for fun, you probably should get some antivirus. Or more realistically, if you're responsible for computers other people use - family members who aren't as familiar with internet safety (by the way, you should send them this podcast) or computers in a public library or school - antivirus will probably make it easy to keep these machines clean.

GT: Of course, another option is to just set up a more locked down system - like a Chromebook, where you can't install apps at all and you can only just use the web platform, or something like Windows's "S mode," where you can only run apps from the Microsoft Store. Or on a Mac, you can configure Gatekeeper to only allow apps from the App Store. For folks managing public access computers, another good option is to look into software specifically designed for cleaning up shared computers after each user.

LD: If you're going to install antivirus, plan to spend some time researching what the options are and what their security track records have been. The thing that came bundled with your laptop for a 30-day free trial might not be the best option. And there's one more thing to think about besides effectiveness and security: antivirus users often complain that their computer's performance is getting worse, so you should look for an antivirus that doesn't hog your computer's resources.

GT: However, there is one very good option that comes with Windows computers. Windows Defender is built in and enabled by default, and it's a sort of a baseline malware protection tool. It's not a full-featured antivirus, but it scans for common malware, and because it's part of Windows, it doesn't do anything particularly weird to Windows to get the access it needs. If you're running Windows, you should keep it enabled.

LD: Oh, another case where you might want to get antivirus or anti-malware software is if you're cleaning up a computer that's already been infected. As we discussed last episode, you're a lot better off wiping your machine and restoring it from backup - it's hard to completely dislodge malware once it's gotten into your system, especially if it ended up getting admin access at some point. But if that's not an option, there are a few reputable malware removal applications. Again, do some research on them and look for well-established applications that have a track record of not making things worse and are still well-reviewed, and get them from a trustworthy source, like we discussed earlier in this episode.

GT: The best option is still to try to keep malware off your computer in the first place, and hopefully, by now, you've gotten a better sense of how to do that. It's really just a matter of being keeping your wits about you when using your computer.

LD: Tune in next episode as we wrap up our series on computer security by looking at external threats. We'll take a deeper look at malicious USB devices and other ways external ports and devices could harm your computer. We already looked at physical attacks to the hardware on your computer itself, but there's a lot that could go wrong with accessories and devices.

GT: We'll also look briefly at how to keep yourself secure from network threats - in this episode we mostly focused on how to make sure you're not downloading malicious apps, which for most people is the biggest route in for malware. But if you're using certain kinds of file sharing or remote access applications, those can be risks, too.

LD: Both of us are traveling to visit family this week, so our next episode is going to be three weeks from now.

GT: Actually, I'm going to catch a plane to Tokyo to start my political campaign there. I think I have a real shot at being cybersecurity minister.

LD: Geoffrey, they'll never vote for you. You have way too many computers.

GT: Oh no, you're right.

Outro music plays.

LD: Loose Leaf Security is produced by me, Liz Denys.

GT: Our theme music, arranged by Liz, is based on excerpts of "Venus: The Bringer of Peace" from Gustav Holst's original two piano arrangement of The Planets.

LD: For a transcript of this show and links for further reading about topics covered in this episode, head on over to looseleafsecurity.com. You can also follow us on Twitter, Instagram, and Facebook at @LooseLeafSecure.

GT: If you want to support the show, we'd really appreciate it if you could head to iTunes and leave us a nice review or just tell your friends about the podcast. Those simple actions can really help us.

Outro music fades out.