the heart of the problem [was: RE: mac trojan in-the-wild]

[Gadi Evron <ge () linuxbox org>]

On Thu, 1 Nov 2007, Thor (Hammer of God) wrote:
> But more importantly, let's look at things from the other side.  Let's
> say I'm wrong, and that Gadi is right on target with his "hit hard"

I'd say we are both right.
You look at it from a security researcher stand-point. There is nothing 
interesting about user-interaction, and it is even kind of lame.

> From a reasonable perspective, we refuse to believe people will act so .. 
silly.

> prediction and that we should be very concerned with this.  Given the

Not predicting, assessing.

Criminal elements have a very clear cost/benefit calculation. For example, 
they won't release a 0day such as WMF or ANI as long as their revenue 
goals are met with published ones. They collect statistics on OS, browser, 
language, which exploit got how many, etc.

They have thousands on thousands of sites infecting users who surf (some 
of them ad-based on real sites, or defaced sites such as forums that 
remain with the same content only now infect people). Then there is also 
spam directing people to these sites.

Now, a criminal gang (could be the mob could be one guy) targets the mac. 
So much so that they serve different malware by OS-type.

As a security researcher looking at code, bits and bytes, you are simply 
not usually following what's going on in operational security where things 
are bleak.

> From an operational security standpoint, this equates to what happened in 
the world of the Internet back when Windows 98 was around. Not what 
security features it had.

> requirements here, that again being flagrant ignorance where all the
> above steps are executed (including the explicit admin part)-- what
> exactly are we supposed to do?  If people are willing and able to go
> through the motions above what can we as security people do to prevent
> it?  Far too many people in this industry are far too quick to point out
> how desperate the situation is at all turns, but I don't see many people
> offering real solutions.  But you know, I have to say...  If we are

Things are in fact FUBAR. We need new ideas and new solutions as honestly, 
although we want to feel we make a difference by taking care of this or 
that malware or this and that C&C we are powerless and have not made a 
real difference in the past 6 years while things got worse.

We need new solutions and new ideas, and would be more than happy to have 
new people exploring operational security.

The current state of Internet security is you get slapped -- BAM! -- and 
you write an analysis about it. (when speaking at ISOI I actually slapped 
myself -- HARD -- when I said it on stage, not a good idea for future 
reference).

> really going to consider this "serious," and we are really going to
> define part of our jobs as being responsible for stopping people who
> have absolutely no concerns for what they do and are willing to enter
> their admin credentials into any box that asks for it, then I'd say that
> there is a *serious* misunderstanding about what security is, and what
> can be done about it-- either that, or I'm just in the wrong business.
>
> t

Well, we can't choose the risks. They choose us. Sometimes they are cool, 
sometimes they're not.

I often start emails by saying "first off, this is not the end of the 
world, the Sun will rise tomorrow and the Internet won't die today". I 
tire of it. Of course the Internet won't die today, but it is Mac season.

Apple is very much correct by not investing in security first until now -- 
from a BUSINESS standpoint, however much we as security people in our 
niche can't get behind it. Things are different now and unfortunately they 
have a backlog to deal with.

        Gadi.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.