Full Disclosure mailing list archives
Re: mac trojan in-the-wild
From: Jay Sulzberger <jays () panix com>
Date: Thu, 1 Nov 2007 22:29:14 -0400 (EDT)
On Thu, 1 Nov 2007, Thor (Hammer of God) <thor () hammerofgod com> wrote:
That's an interesting figure (86% that is). Can you give us some insight into what you define as "user interaction"? If it is clicking a link or reading an HTML email, then OK. If it is opening an .exe from an email, I'd like to see what client you are talking about and what environment (meaning, what OS/email client and what did they have to do to get it to run). But specifically, how many were exploits where a user had to visit an untrusted site, download an executable, run it, and explicitly give it administrative credentials to run? Not just people running as administrator, but typing in the admin account credentials to run it as administrator as one has to do on OSX? My guess (and I'd really like to see details on your findings) is that most "interactive" issues are the more "trivial" interactive issues (like clicking a link and launching a vulnerable version of IE). But more importantly, let's look at things from the other side. Let's say I'm wrong, and that Gadi is right on target with his "hit hard" prediction and that we should be very concerned with this. Given the requirements here, that again being flagrant ignorance where all the above steps are executed (including the explicit admin part)-- what exactly are we supposed to do? If people are willing and able to go through the motions above what can we as security people do to prevent it? Far too many people in this industry are far too quick to point out how desperate the situation is at all turns, but I don't see many people offering real solutions. But you know, I have to say... If we are really going to consider this "serious," and we are really going to define part of our jobs as being responsible for stopping people who have absolutely no concerns for what they do and are willing to enter their admin credentials into any box that asks for it, then I'd say that there is a *serious* misunderstanding about what security is, and what can be done about it-- either that, or I'm just in the wrong business. t
Put in a better system of permissions. Use rolling backup. Have independent system activity watchers. These measures are just the first moves. Unix was not designed to be resistant to one million hostile actions per day by thousands of unknown attacking entities. But if you run standard Unix and you have a Net connection, that is what your Unix instance is exposed to. oo--JS. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: mac trojan in-the-wild, (continued)
- Re: mac trojan in-the-wild Nick FitzGerald (Nov 01)
- Re: mac trojan in-the-wild Dude VanWinkle (Nov 02)
- Re: mac trojan in-the-wild J. Oquendo (Nov 02)
- Re: mac trojan in-the-wild Dude VanWinkle (Nov 02)
- Re: mac trojan in-the-wild reepex (Nov 02)
- Re: mac trojan in-the-wild Simon Smith (Nov 02)
- Re: mac trojan in-the-wild Dude VanWinkle (Nov 05)
- Re: mac trojan in-the-wild Paul Schmehl (Nov 05)
- Re: mac trojan in-the-wild Roger A. Grimes (Nov 01)
- Re: mac trojan in-the-wild Thor (Hammer of God) (Nov 01)
- Re: mac trojan in-the-wild Jay Sulzberger (Nov 01)
- the heart of the problem [was: RE: mac trojan in-the-wild] Gadi Evron (Nov 02)
- Re: [funsec] the heart of the problem [was: RE: mac trojan in-the-wild] Drsolly (Nov 02)
- Re: [funsec] the heart of the problem [was: RE: mac trojan in-the-wild] yiri (Nov 02)
- Re: the heart of the problem [was: RE: mac trojan in-the-wild] Roger A. Grimes (Nov 02)
- Re: mac trojan in-the-wild Roger A. Grimes (Nov 02)
- Re: mac trojan in-the-wild David Harley (Nov 02)
- Re: mac trojan in-the-wild Peter Besenbruch (Nov 01)
- Re: mac trojan in-the-wild Paul Schmehl (Nov 01)
- Re: mac trojan in-the-wild Peter Besenbruch (Nov 01)
- Re: mac trojan in-the-wild Paul Schmehl (Nov 01)