On 06/10/2010 03:08 AM, Michael Torrie wrote: > On 06/09/2010 08:44 PM, Henry Hertz Hobbit wrote: >> WE HAVE TO GET PEOPLE OFF OF MICROSOFT WINDOWS ONTO LINUX AND >> MACINTOSH! If somebody wants me to give a run-down on how bad >> it is in your monthly meetings let me know and I will oblige. >> I usually go through 6-12 Windows malware samples per day. > > We all love Linux and Mac around here, but reports lately are that OS X > apps are just as vulnerable or more so than Windows apps, though things > typically run as a non-root user. What makes you think Mac or Linux > will be any better for the majority of users? Social engineering is > platform agnostic, and that's what a lot of (most?) malware exploits > these days. I'm just being the Devil's advocate here. > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */
Pre-PS: Unless you are interested in security, tap / click the delete button. Richard Stallman doesn't use a normal browser or email program and no - I won't tell you what he uses. Now you know why I said tap. If you read my contributions you will see that the one guy posted a - "it installed without the user doing anything." I am speaking of the F-Secure report. Well, it does if you run the Mac as an admin user which is what 90% of Mac users at home are doing: http://preview.tinyurl.com/2dcmnhb http://preview.tinyurl.com/2ea5q29 It will also do it if you run Fedora 13 the way they originally had it without asking for a password to install their updates! Why do you think I said goodbye to Fedora (besides the monitor problem)? I also got tired of their new OS every 4-6 months with seemingly no thought to where they are going. That was why I just kept using Fedora 3. It worked so wonderfully I didn't want to stop using it. It finally got too long in tooth, but it was Gandalf falling into the chasm that precipitated the change. GandalfTW is his replacement running Ubuntu 10.04. If I have my pick of a badly maintained Mac box running as admin and a Windows XP box either running as a non-privileged user or all Internet facing apps run with something that Drops their rights to a normal user (I recommend DropMyRights or better yet a sand boxer) maintained by a very meticulous careful user then I would probably pick the well maintained Windows box to access my bank accounts. Security depends on MULTIPLE LAYERS OF PROTECTION WITH EACH LAYER TAKING UP THE SLACK IF SOME OTHER LAYER FAILS! THE PERSON USING THE SYSTEM IS a BIG PART OF THE EQUATION! But for every one Mac malware I get I have thousands of Windows binaries. Statistically the odds are stacked against you if you use Windows. Believe it or not, a little thing like me having to remake my ~/bin binaries for Ubuntu 10.04 and OpenSuse 11.2 (incompatible libraries and neither will run on the other) is one more security measure. They would have to do a detect to give me the right binary or it won't run. How do you think I get all of that Windows malware? The only checks I see are for what browser you are using. IE-6? WONDERFUL! Anything else? We will still try. And my WAN IP is on some hacker's black-lists. I frequently have to drop through an Internet proxy to get the malware and test if a host is still bad (usually the latter). But most of the time they don't even check anything. Most of the blocks I encounter are because they have a TTL block based on the last time your WAN IP address hits them. So you better not tromp around. Security newbies won't get anywhere until they learn to tread lightly. But most of the time they don't check for anything. Charlie Miller may have done more harm than good. If you look at my Chmod Table you need to realize one thing - Microsoft did not wait for IBM to put their file permission flags into the HPFS that became the NTFS. Both OpenVMS and OS/400 actually have better and more MAC (Mandatory Access Control) granularity than what the Unix model has. On that, why are binaries root:root on Linux in /bin, /usr/bin, etcetera? I can remember them being owned by bin:bin on Sun Solaris unless they needed to be something else. I must hasten to add that on those versions of Solaris, the bin user did not have a login shell. This MAC layer is one of the reasons the problem isn't worse on Linux / Macintosh. But it is just ONE reason - you need to add more. Now you know where I am headed. I am doing the same thing Charlie is doing in my own way. I am attempting to harden Linux / Mac BEFORE THE HACKERS GET THERE! I can say one thing, I feel MUCH better if a binary that has system() in it instead of a double fork() / exec() / ssid() even if it doesn't have the SUID / SGID bits set IS NOT OWNED BY ROOT AND IS NOT IN GROUP ROOT. Just like putting braces in C / JavaScript / what ever for just one statement even though it isn't required makes me feel better. Sooner or later some programmer comes along and adds more statements and forgets to add the opening / closing block characters. Sooner or later, somebody will come along and do a SUID / SGID on that binary that may have a system() in it - it never fails. Solaris did it by making dirs / folder root:? (I cannot remember the group they used but it seems like it was staff). You are correct that social engineering will work equally well on any other platform except for one thing - every hurdle you put in the way that prevents a catastrophe is just one more fail-safe thing that is in the way. Security comes from layers, not just shifting over to Macs and Linux. You still need other things there. If you don't want to get tracked to kingdom come then you better install either ABP with EasyPrivacy in FireFox or use my PAC filter which works with all browsers. Actually, in Firefox I use ABP with the EasyPrivacy+EasyList and Liste FR subscriptions, the PAC AND my blocking hosts file - ON LINUX! I need help in setting up my port 80 phttpd to auto-start if somebody wants to volunteer. I DO NOT HAVE THE TIME! But if this guy that says he slips up and forgets and uses his Windows system instead of his LiveCD to do his banking put my PAC filter on his Windows machine and added these rules to the PAC filter: BadDomains[i++] = "MyBank.com"; BadDomains[i++] = "MyCreditUnion.com"; Every time he tried to go to his bank on the Windows machine he would get a nice pretty white page. That would remind him - you have to use the other machine to do your banking. Every layer like that you add gives you an EDGE. Where I am coming from is that just shifting to Macs / Linux is only THE FIRST STEP! Let's say you slip up and fall for this in your email: BogusWellsFargo DOT com // I have to put this in with " DOT " instead of "." since it may // not make it past the email scanner - if it was in my add.Risk // black list it would NOT make it past the email scanner. That // is because many Mail Service Providers use my and other people's // black lists in their scanners. They give you a dire warning of impending disaster and you better correct it right now or your account will be closed and they hide the real URL and show it as WellsFargo.com. Let's say you fall for it. Well if you are using my PAC filter these rules spring into action to protect you: GoodDomains[i++] = ".wellsfargo.com"; BadHostParts[i++] = "wellsfargo.com"; In the immortal words of Dr. Emmett L Brown, you have to think fourth dimensionally. If I did not have the leading dot in the first rule which is encountered first it would make it past. It doesn't, and it hits the second rule and you get a pretty white page. Hopefully you will see the real URL in the browser. That gives you the time to say - whoa, something looks phishy here. That is the third element of Bruce Schneier's security system, people trained to look for something that doesn't look right. Is the PAC filter a be all answer? It is just one extra thing. In my opinion it is also easily turned off despite one person saying he needed to format his drive to turn it off. Oh yes, I have looked at some of the votes at PhishTank and some of them are real bombs - 90% see no problem when there is one. They are usually good with PayPal and fairly good with banking but are poor with eBay - extremely poor! I have added some to my hosts file because they were still active! Now do you see where I am headed? I am heading people towards Linux / Mac as only THE FIRST STEP. I also can assure you that if the Mac people had my blocking hosts file they would have had one extra layer and NOT put on that screen saver that nailed them with the Onion attack. They would have been blocked. That would force them to take the time to check it out. Windows people are already smart enough to say - GET AWAY FROM THEM! Now you know why my add.Risk section is in both 'nix and Windows versions of the blocking hosts file. Sooner or later, what ever is causing a problem on Windows may cause a problem on Linux or Macs. The only thing I am surprised by is why it is so slow coming to the Linux & Macs. These Onion screen savers are the opening salvo on Mac - everything up to that I would call exploratory. But some of those exploratory efforts were pretty sophisticated! HHH PS my DropMyRights link files are modified with a hex editor. http://www.SecureMecca.com/public/ http://www.SecureMecca.com/public/DropMyRights.7z See if you can find where I made the changes. At least you will find out what your hex editor is and the one on Ubuntu threw me for a loop - I have no idea what the name means. I aliased them both to hexedit even though they are GUI programs. That is because I am ALWAYS starting them in an xterm. Now I have to remember to tack on an &. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
