Mac or Linux / Unix versus Windows

Henry Hertz Hobbit hhhobbit at securemecca.com
Thu Jun 10 00:12:03 MDT 2010


On 06/10/2010 03:08 AM, Michael Torrie wrote:
> On 06/09/2010 08:44 PM, Henry Hertz Hobbit wrote:
>> WE HAVE TO GET PEOPLE OFF OF MICROSOFT WINDOWS ONTO LINUX AND
>> MACINTOSH!  If somebody wants me to give a run-down on how bad
>> it is in your monthly meetings let me know and I will oblige.
>> I usually go through 6-12 Windows malware samples per day.  
> 
> We all love Linux and Mac around here, but reports lately are that OS X
> apps are just as vulnerable or more so than Windows apps, though things
> typically run as a non-root user.  What makes you think Mac or Linux
> will be any better for the majority of users?  Social engineering is
> platform agnostic, and that's what a lot of (most?) malware exploits
> these days. I'm just being the Devil's advocate here.
> 
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */

Pre-PS:  Unless you are interested in security, tap / click the
delete button.  Richard Stallman doesn't use a normal browser or
email program and no - I won't tell you what he uses.  Now you
know why I said tap.

If you read my contributions you will see that the one guy posted
a - "it installed without the user doing anything."  I am speaking
of the F-Secure report. Well, it does if you run the Mac as an admin
user which is what 90% of Mac users at home are doing:

http://preview.tinyurl.com/2dcmnhb
http://preview.tinyurl.com/2ea5q29

It will also do it if you run Fedora 13 the way they originally had
it without asking for a password to install their updates!  Why
do you think I said goodbye to Fedora (besides the monitor problem)?
I also got tired of their new OS every 4-6 months with seemingly no
thought to where they are going.  That was why I just kept using
Fedora 3.  It worked so wonderfully I didn't want to stop using it.
It finally got too long in tooth, but it was Gandalf falling into
the chasm that precipitated the change. GandalfTW is his replacement
running Ubuntu 10.04.

If I have my pick of a badly maintained Mac box running as admin
and a Windows XP box either running as a non-privileged user or
all Internet facing apps run with something that Drops their rights
to a normal user (I recommend DropMyRights or better yet a sand
boxer) maintained by a very meticulous careful user then I would
probably pick the well maintained Windows box to access my bank
accounts. Security depends on MULTIPLE LAYERS OF PROTECTION WITH
EACH LAYER TAKING UP THE SLACK IF SOME OTHER LAYER FAILS! THE
PERSON USING THE SYSTEM IS a BIG PART OF THE EQUATION!

But for every one Mac malware I get I have thousands of Windows
binaries. Statistically the odds are stacked against you if you
use Windows.

Believe it or not, a little thing like me having to remake my
~/bin binaries for Ubuntu 10.04 and OpenSuse 11.2 (incompatible
libraries and neither will run on the other) is one more security
measure.  They would have to do a detect to give me the right
binary or it won't run.  How do you think I get all of that
Windows malware?  The only checks I see are for what browser
you are using.  IE-6?  WONDERFUL!  Anything else?  We will still
try.  And my WAN IP is on some hacker's black-lists.  I frequently
have to drop through an Internet proxy to get the malware and test
if a host is still bad (usually the latter).  But most of the time
they don't even check anything.  Most of the blocks I encounter are
because they have a TTL block based on the last time your WAN IP
address hits them. So you better not tromp around.  Security newbies
won't get anywhere until they learn to tread lightly.  But most of
the time they don't check for anything.

Charlie Miller may have done more harm than good.  If you look
at my Chmod Table you need to realize one thing - Microsoft did not
wait for IBM to put their file permission flags into the HPFS that
became the NTFS.  Both OpenVMS and OS/400 actually have better and
more MAC (Mandatory Access Control) granularity than what the Unix
model has.  On that, why are binaries root:root on Linux in /bin,
/usr/bin, etcetera?  I can remember them being owned by bin:bin
on Sun Solaris unless they needed to be something else.  I must
hasten to add that on those versions of Solaris, the bin user did not
have a login shell.  This MAC layer is one of the reasons the problem
isn't worse on Linux / Macintosh.  But it is just ONE reason - you
need to add more.  Now you know where I am headed.  I am doing the
same thing Charlie is doing in my own way.  I am attempting to harden
Linux / Mac BEFORE THE HACKERS GET THERE!  I can say one thing,
I feel MUCH better if a binary that has system() in it instead of
a double fork() / exec() / ssid() even if it doesn't have the
SUID / SGID bits set IS NOT OWNED BY ROOT AND IS NOT IN GROUP ROOT.
Just like putting braces in C / JavaScript / what ever for just
one statement even though it isn't required makes me feel better.
Sooner or later some programmer comes along and adds more statements
and forgets to add the opening / closing block characters.  Sooner
or later, somebody will come along and do a SUID / SGID on that
binary that may have a system() in it - it never fails.

Solaris did it by making dirs / folder root:?  (I cannot remember
the group they used but it seems like it was staff).

You are correct that social engineering will work equally well on
any other platform except for one thing - every hurdle you put in
the way that prevents a catastrophe is just one more fail-safe thing
that is in the way.  Security comes from layers, not just shifting
over to Macs and Linux.  You still need other things there.  If you
don't want to get tracked to kingdom come then you better install
either ABP with EasyPrivacy in FireFox or use my PAC filter which works
with all browsers. Actually, in Firefox I use ABP with the
EasyPrivacy+EasyList and Liste FR subscriptions, the PAC AND my
blocking hosts file - ON LINUX! I need help in setting up my port
80 phttpd to auto-start if somebody wants to volunteer. I DO NOT
HAVE THE TIME!  But if this guy that says he slips up and forgets
and uses his Windows system instead of his LiveCD to do his banking
put my PAC filter on his Windows machine and added these rules to
the PAC filter:

BadDomains[i++] = "MyBank.com";
BadDomains[i++] = "MyCreditUnion.com";

Every time he tried to go to his bank on the Windows machine he
would get a nice pretty white page.  That would remind him - you
have to use the other machine to do your banking. Every layer like
that you add gives you an EDGE. Where I am coming from is that
just shifting to Macs / Linux is only THE FIRST STEP!  Let's say
you slip up and fall for this in your email:

BogusWellsFargo DOT com
// I have to put this in with " DOT " instead of "." since it may
// not make it past the email scanner - if it was in my add.Risk
// black list it would NOT make it past the email scanner.   That
// is because many Mail Service Providers use my and other people's
// black lists in their scanners.

They give you a dire warning of impending disaster and you better
correct it right now or your account will be closed and they hide
the real URL and show it as WellsFargo.com.  Let's say you fall
for it.  Well if you are using my PAC filter these rules spring
into action to protect you:

GoodDomains[i++] = ".wellsfargo.com";
BadHostParts[i++] = "wellsfargo.com";

In the immortal words of Dr. Emmett L Brown, you have to think
fourth dimensionally.  If I did not have the leading dot in the
first rule which is encountered first it would make it past.
It doesn't, and it hits the second rule and you get a pretty white
page.  Hopefully you will see the real URL in the browser.  That
gives you the time to say - whoa, something looks phishy here.
That is the third element of Bruce Schneier's security system,
people trained to look for something that doesn't look right.
Is the PAC filter a be all answer?  It is just one extra thing.
In my opinion it is also easily turned off despite one person
saying he needed to format his drive to turn it off.  Oh yes,
I have looked at some of the votes at PhishTank and some of
them are real bombs - 90% see no problem when there is one.  They
are usually good with PayPal and fairly good with banking but
are poor with eBay - extremely poor!  I have added some to
my hosts file because they were still active!

Now do you see where I am headed?  I am heading people towards
Linux / Mac as only THE FIRST STEP.  I also can assure you that
if the Mac people had my blocking hosts file they would have
had one extra layer and NOT put on that screen saver that nailed
them with the Onion attack.  They would have been blocked.  That
would force them to take the time to check it out.  Windows people
are already smart enough to say - GET AWAY FROM THEM!  Now you know
why my add.Risk section is in both 'nix and Windows versions of
the blocking hosts file.  Sooner or later, what ever is causing
a problem on Windows may cause a problem on Linux or Macs.  The
only thing I am surprised by is why it is so slow coming to the
Linux & Macs.  These Onion screen savers are the opening salvo
on Mac - everything up to that I would call exploratory.  But
some of those exploratory efforts were pretty sophisticated!

HHH
PS  my DropMyRights link files are modified with a hex editor.

	http://www.SecureMecca.com/public/
	http://www.SecureMecca.com/public/DropMyRights.7z

    See if you can find where I made the changes.  At least
    you will find out what your hex editor is and the one on
    Ubuntu threw me for a loop - I have no idea what the
    name means.  I aliased them both to hexedit even though
    they are GUI programs.  That is because I am ALWAYS starting
    them in an xterm.  Now I have to remember to tack on an &.




More information about the PLUG mailing list