Why isnt LUA given more importance?

Discussion in 'other security issues & news' started by wearetheborg, Aug 1, 2010.

Thread Status:
Not open for further replies.
  1. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    LUA does not seem to be very popular, even on wilders. Why is that so? I come from a Linux environment, and LUA is like step 1 in security for me.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Your statement implies that you have observed elsewhere than Wilders. Where else have you noticed this tendency?

    At Wilders, many people, single users of a computer, have security in place to cover the remote code execution exploits, which is the attack vector that LUA helps to nullify**. So, they are not concerned about running as an Administrator, which is just more convenient. You will find that SpikeyB (from the SRP thread) falls into this category.

    The other attack vector is social engineering, or just downloading/installing stuff that is infected, such as from P2P and other such places booby trapped with all kinds of junk. In these cases, the user grants Administrator/installation privileges, so LUA is out of the picture.

    Here is my favorite, because it illustrates that whether *nix or Windows, the situation is the same.

    DNS changer Trojan for Mac (!) in the wild
    Published: 2007-11-01
    http://isc.sans.org/diary.html?storyid=3595

    **I say that LUA "Helps" to nullify attacks, because there are instances of malware written to infect the user w/o getting into System areas.


    ----
    rich
     
  3. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    In other places, not security oriented though.

    Interesting...I would not have had that confidence. The SRP suggested in the SRP thread would for instance not have protected against the current LNK exploit. LUA is just another (supposedly) failsafe tactic to limit damage when things go wrong.

    BTW, why is running as an admin account more convenient? Isnt an admin account required only for installing software and managing the computer?



    Yes, that is true!
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Are you sure? The payload was just a DLL disguised as TMP. I'll have to defer to someone else with SRP, but I would think you could have a rule to take care of that.

    I agree with that!

    Speaking only for myself: I make changes while testing, such as I deleted the Registry MountPoints key while looking at a USB Autorun.inf exploit. Any changes made during testing are discarded on reboot, since I use Deep Freeze on the system partition.

    Besides that, I'm the only user and I'm the Administrator, so that's how I run.

    Back to LUA in general: you have to remember that in Win9x days we had to learn to protect from exploits by understanding how they work, and taking appropriate action within the context of a security strategy. The emphasis was on developing sound policies and procedures.

    Take autorun.inf -- a legitimate Windows function. Back in Win9x days, before the current USB exploits, floppy disks were used to spread the autorun.inf exploit. Anyone following security was aware of that, and protected accordingly. For those like myself working in education environments, we came in contact regularly with students' disks. There was nothing to be afraid of if you understood how the attack worked and how to prevent autorun.inf from executing its commands. This carried over to USB devices, where the attack vector is the same.

    Again, I'm speaking just for myself, and am answering your original question from that point of view.

    This is in no way to encourage anyone else to do the same!

    ----
    rich
     
  5. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Hmmm, maybe SRP would prevent it then. I assumed that since http://www.mechbgon.com/srp/ settings exclused LNK files from SRP, that the exploit would work.

    Ah, got it. You have made the system so secure, that LUA is of neglible value.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I don't believe the solution lies in blocking LNK files, rather, blocking the executable that the LNK file attempts to run.

    ----
    rich
     
  7. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Cant LNK files be malicious in themselves?
    Otherwise, I dont understand why there is an option for including LNK files under SRP.
     
  8. ABee

    ABee Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    330
    Then you're already a step ahead of the game in Windows.

    Anyone with the security knowledge of, say, the member 'Rmus' can play it any way they please. However, the vast majority of users don't have that sort of expertise and need all the help they can get-- or at least need to take some helpful security measures.

    Until Vista, running as Admin. was always default behavior for Windows, and most users don't change any software behavior from the default settings.
    Setting up a new account takes effort and a modicum of knowledge. It's much simpler to just leave the defaults and go ahead and chow down on the infections. ;)
    Well, until the time comes when the infections require being dealt with, anyway.

    Besides, who's around to educate the uneducated user? No one, that's who.
    Where are the pop-up messages on first boot from Microsoft or computer manufacturers recommending some security measures to be taken, or specific account types to be established? Nowhere, that's where.

    Unless there's a knowledgeable friend or something to help out, the uneducated user is strictly on his own, and Microsoft and the box-makers provide precious little in the way of initial security guidance.

    Me, I'm strictly self-taught.
    How? By reading forums, doing my own research, and making tons of wrong moves while figuring out what the right ones are/were.

    And why? Because there came a point for me where either I was going to learn what this 'home computing thing' was all about and become master of my machine's behavior (vs. having the malware in control), or the machine was going to get up-close and personal with the nearest dumpster.

    A happy ending-- I learned much; I continue to learn.
    My machine and I have much more of a 'love' relationship than a 'hate' one. The near-by dumpsters remain available for other trash.
    I enjoy my time on the computer.
    It's a wonderful life. :)

    A malware-free and secure computer provides much more opportunity for pleasure and enjoyment than a non-secure and infected one does.

    The Microsoft Corp. seems to have finally cottoned to the fact that making non-Admin. the default behavior is the preferable (read: more secure) way to go.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    There have been exploits in the past using LNK files:

    Abusing Shortcut files
    January 26, 2009
    http://www.thesecurityblog.com/2009/01/abusing-shortcut-files/
    Note that malware has to have already installed before the malicious lnk files can be created.

    H1N1 Shortcut Malware
    July 27, 2009
    http://www.f-secure.com/weblog/archives/00001738.html
    It's not clear how this shortcut gets on to the system for the user to click.

    ----
    rich
     
  10. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    Interesting thread, thank you.
    In XP, using limited user account is rough. At least for me.
    Changing from admin rights to limited is simple.
    But changing back from limited to admin rights involves shutting down limited, starting up Admin user to change the limited's rights back to admin so that work can be done.
    Get something done, change my rights back to limited ... ARRGH!

    While there is RunAs, some very hardware-related applications just won't work under RunAs Admin, as there may be several layers of stuff to do. So it may start running and then stumbles on the subsequent need for admin rights.

    I don't know a solution. Just find it all very frustrating.
    The only solution for me is using SSM-system safety monitor, get to know what safe things need and hope for the best.

    That was my rant.
    Now a question. Why on Wilders people use so many acronyms. Some posts and some helping answers are utterly unreadable. Case in point - this thread is great, yet, what the heck is SRP? Not one explanation (*) I really like Wilders. I learn a lot here. Yet this acronym use is really getting to me. Thanks for listening.

    (*) google university has links to items such as:
    Salt River Project
    SRP Pistons
    Standards-Based Strong Password Security
    Single Responsibility Principle
    Specialty Racing Products
    Signal Recognition Particle
    and many, many others. What is it you all speak of?
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  13. ABee

    ABee Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    330
    I'm a little unclear on exactly what you mean here--

    'Change rights'? You're speaking of logging off one account and onto another, correct?
    You don't go around changing the rights for the same account, depending upon whether or not you want that account to have Admin. or limited privileges, do you?

    Also, I've never understood what it is people do that requires them to have Admin. privileges all the time.
    I use my XP box under a limited user account for 99% of everything I do. A couple of apps I use 'Runas' for, on those fairly rare occasions when I need to use those apps (Ashampoo Burning Studio and ImgBrn, e.g.). But most days I don't create ISO files or burn data to disc, regardless.

    Which makes me curious as to exactly what it is you spend so much time doing and that specifically requires Admin. privileges to do it?

    My habit is that about once a week I log into my Admin. account and spend a little while doing whatever it is I want/need to do with Admin. privileges (synch the clock, e.g., defrag the machine, or whatever), and then that's it. I'm logged off that account and back onto the LUA (limited user account) I use the vast majority of the time, and under which privileges I have no problem whatsoever doing the 99% of things I do on a computer.

    So the 'I need Admin. privileges all the time to do the stuff I do on a computer' attitude completely baffles me, and hence the question I asked earlier-- what is it you're doing so often that it requires those privileges constantly?
    As I said-- just curious.
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I explained that part of my reason is just a matter of principle, that I'm the Administrator and am in charge, so I use my Admin account rather than assume a lesser status of user!

    Why don't you stay in the Administrator account all of the time?

    Just curious!

    ----
    rich
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    SuRun is a great help, because it can remember to elevate to admin if you desire it to, as well as other features. If you are using LUA in XP, I would highly recommend at least giving it a test run.

    This is simple really, for me anyway it comes down to having to write SRP or Software Restriction Policy, I would choose SRP. But, I do try and place the full form in the beginning of the thread. If you just jump to the bottom, well, sorry but you should have read the whole thread, right? But if I do include the full term in the beginning, I assume the reader now understands what SRP stands for.

    It is the nature of things I suppose, those of us here get so familiar with it that if we don't know what it is, we quickly find out. I have had to do this many times myself. Of course, just as many times I have seen the full version, such as Malware Bytes Anti Malware and when I see MBAM, I just figure it out.

    Somewhere here there was a thread that talked about a sticky for acronyms, I think it was in the Other Security Software thread.

    Sul.
     
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Many reasons, but I will give you a couple specific ones. When I was using XP I often had a need for using Unlocker. Try as I might, using SuRun, I could not get that program to work in a LUA, it just needed Admin to work correctly.

    Another example was Speedfan and RivaTuner, which I used all the time on XP. You could get them both to work with SuRun, but it was really only a hacked and patched way of doing it, very prone to not working properly.

    I have a lot of respect for Windchild, as he is very knowledgable and posts some very informative stuff. He made a comment once that has bothered me ever since. He said (something like) if a program won't work in LUA, then it is not worth using. I see his point in that. But, and I said as much, there are many very very good programs that were not designed for LUA that I was not ready to do without (Unlocker being one). Does it make more sense then to ditch the tools you like for others that you don't just so you can use LUA? It all depends I guess, but I never felt the need to do so. But, it is a great argument, that if you could use LUA except for your few tools that won't work in it, maybe you should consider using a replacement which you might not like as well, but could allow you to play in a safer state.

    As for why would someone still want to be admin, Rmus summed it up well enough.. I want to be in control and not be hassled with using RunAs or equivilent. But what reason could I have for doing this? Really? My sig says it all, which I believe came also from Windchild. I do things TO my computer normally, not WITH it. So I am always, and I do mean this, daily, always, messing with my registry or program files or windows directories, always modifying a file that is in a place off limits to users. I have no idea how many others like myself exist in this forum, but for me to run in LUA is an exercise in frustration, as almost everything I do other than surf the web requires admin rights. I might watch a movie or play a game, but normally I am simply futzing with the computer and seeing what happens or how something works.

    Sul.
     
  17. wat0114

    wat0114 Guest

    Actually with Win 7's UAC enabled and set to Default or Maximum, it's a lot like running as lua anyway in an Administrative account because of the Standard user token applied to Explorer.exe (parent process to applications). Something I've posted before but I'll post again because I feel it's an excellent illustration of how it works:

    -http://technet.microsoft.com/en-us/library/dd835561%28WS.10%29.aspx
     
  18. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    I'd like to ask this question of LUA aficianados, who I see are gathering here... :) I hope this is a fair place to pose my questions.

    I'd like to know if any LUA fans have tried Online Armor's RunSafer feature, and if so, have they found it lacking in anyway? Have any of you tried it and liked it?

    I use RunSafer as recommended... with all internet-facing programs, i.e browser, email, media player, document viewer and such as that. I believe I am much safer running my computers this way, but would like to hear what you folks think. :)

    To stay strictly on topic, I'd say that RunSafer's very existence as a firewall feature in Online Armor is testimony to LUA's importance. :thumb:
     
  19. ABee

    ABee Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    330
    Gotchya. In other words, no particular reason, other than a conscious choice you've made.

    As I mentioned earlier, people with your level of expertise can play it however they wish. You know and accept whatever consequences. Fine.

    Would you recommend to the average user to also run as Admin.?

    A conscious choice that I've made.
    It's the way I prefer to play it, and the way I feel I'm best protected given my level of security and malware-avoidance expertise. It's a level no doubt quite a bit higher than that of the average user, yet not a level that begins to approach that of yours and some others.

    Since I know that I'm safer under LUA privileges, I have no problem in recommending the same level of user privilege to those whom I instantly recognize as having a lesser level of expertise than myself.

    I hope this adequately satisifies your curiosity on the matter regarding myself.
    ____________________________

    And to Sully:

    While I find it odd that you'd find need to regularly delete so-called 'undeletable' files . . . . well, whatever. So be it.

    And a User registry hive can be altered by that particular user in most cases, regardless of privilege level-- at least that's been my experience.

    But again, my thoughts weren't intended to be directed so much to those that have a fairly high working knowledge of how their machine operates, can easily make alterations, etc., as it was to those whose level of computer literacy and security falls somewhat (or massively) short of a high working knowledge.

    Your regular 'Uncle Phil' and others with a mediate or lower level of computer knowledge and expertise have no business running with Admin. privileges as a regular routine.
    It's counter-productive to safe and smart home computing for those folks.

    I make no apologies and have no second thoughts about recommending limited user acount privileges for such people, nor do I have any qualms about telling them flat-out that running with Admin. privileges is a mistake on their part which should be rectified.

    So perhaps a lot of folks who give advice on these boards run their machines with Admin. privileges.
    How about a 'show of hands' for those who consider it sage advice to recommend people in general do that? Eh?
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Absolutely Not! Nor to anyone!

    This thread is not about making recommendations, as I understand it -- wearetheborg is just curious, and people are giving their own opinions and reasons for one or the other.

    ----
    rich
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Why? What do you think might happen while you are using your computer, that LUA would protect you?

    I'm just curious as to what types of incidents you are concerned about.

    Thanks,

    ----
    rich
     
  22. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Understand undeletable then.. open a process (assume you are experimenting for a moment) and then close process, but the process handle still has a lock on a file, perhaps a config file. Now you want to change/delete the config file, but cannot because the already closed process is not performing correctly. What do you do? Reboot? Not me, I used Unlocker. Other scenarios exist, and if you mess with things, you find them more often than if you don't. It never was a question of how "odd" it is that I would need to use it, but that my goings on with my computer led me to need a tool that would make a reboot un-needed - and Unlocker fulfilled that purpose marvelously.

    Oh, I have to mention -- HKCU? lol, no dude, not HKCU. I tread in HKLM or HKR. HKCU I hardly ever touch that area, pretty much not any User Profile area. %windir%, %sysdir% and %programfiles%, thats where I whett my appetite ;)

    As Rmus has stated, the topic of this question isn't "should Uncle Phil use LUA". I think even the most staunch Admin supporter would agree that Uncle Phil should be a User only, not Admin. I certainly make a point of persuading all my Uncles to use LUA. Uncle Phil calls me to help him even in LUA though, although his problems are usually different than they were 5 years ago. Uncle Phil deserved a chance to be an Admin but he just didn't have the stuff it takes to stay there. He is LUA now, and really doesn't understand what is happening, even though it has been explained over and over. Afterall, he just wants to check his mail and surf the web.. what is so wrong with clicking OK to see if he won the lottery or if someone really found his wallet? People Uncle Phils age do lose thier wallet from time to time :D

    Sul.
     
  23. ABee

    ABee Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    330
    The O.P. stated "LUA is like step 1 in security for me." That was preceded by a question of 'why doesn't LUA seem to be popular, even on Wilder's?'

    I believe LUA should be "step 1 in security" for virtually everybody.
    Those who choose not to use LUA for whatever their own reasons might be-- so be it.
    But posters at Wilder's are not in large majority the security tech experts of the world. Some are, but most are average users-- perhaps somewhat above average, as generally they're posting in an attempt to gain further knowledge and understanding.
    However, they're not using an Admin. account on Windows strictly due to personal choice and with full understanding of options and pitfalls. They're using it for the same reason as most other users-- because that's the way it gets set up 'out of the box', and they don't know or understand how it could/should be differently.
    IMO, of course. I have no stats to present. Yet I believe it to be a fair enough statement.

    Anything. Everything.
    Simply a matter of seeing no reason to have Admin. privileges for the things I do when none are required.
    One of those 'levels of security' we hear so much about.

    And my thanks to you and Sully for clarifiying that Admin. privileges would not be your recommendation to others on what the preferred user-account type should be for normal daily activities.
     
  24. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I used Unlocker alot until i realized i can do that with Process Explorer. Ctrl+F to search for the (file) path, and close the handle.
    Still have unlocker in my usb pen though.
     
  25. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    OS X is not Linux. It's *not* the same on Linux (or BSD) because these OS's have vetted secure repositories. There's no need to run around installing random stuff off shady Internet websites.
     
Loading...
Thread Status:
Not open for further replies.