Full Disclosure mailing list archives

Re: the heart of the problem [was: RE: mac trojan in-the-wild]

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 2 Nov 2007 08:35:12 -0400

I'll go further.  Not only is the situation totally FUBAR, but there is
nothing any of the vendors, OS or security, are doing that will make a
real dent in the malware problem over the next 5-10 years. Things are
only going to get worse.  None of the current solutions, and none of the
publicly disclosed solutions, will change the extent and damage of
computer crime. It's appalling. There are real steps we can begin to
take that will make a significant impact, but we as a society are
choosing to not do them.  I've written about this, and suggested one
potential solution in several of my articles:

http://www.infoworld.com/article/07/09/14/37OPsecadvise-five-rings-secur
ity-authentication_1.html
http://www.infoworld.com/article/07/06/22/25OPsecadvise_1.html
http://www.infoworld.com/article/07/06/15/25OPsecadvise_1.html
http://www.infoworld.com/article/07/06/15/25OPsecadvise_1.html

Any interested in reading them should read them in reverse order to get
my logic down on each step.

Essentially, all things Internet need to be re-engineered to remove the
default anonymity and replace with them with default authentication. For
those wishing to keep absolute anonymity, keep on the old,
criminally-owned Internet, or have your traffic and content subjected to
higher levels of scrutiny. 

But we will do nothing of substance until a tipping point event happens
and more blood is on the ground than needs to be.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Windows Vista Security: Securing Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*****************************************************************


-----Original Message-----
From: Gadi Evron [mailto:ge () linuxbox org] 
Sent: Thursday, November 01, 2007 10:36 PM
To: Thor (Hammer of God)
Cc: Roger A. Grimes; bugtraq () securityfocus com;
full-disclosure () lists grok org uk; Alex Eckelberry;
botnets () whitestar linuxbox org; funsec () linuxbox org
Subject: the heart of the problem [was: RE: mac trojan in-the-wild]

On Thu, 1 Nov 2007, Thor (Hammer of God) wrote:

But more importantly, let's look at things from the other side.  Let's

say I'm wrong, and that Gadi is right on target with his "hit hard"


I'd say we are both right.
You look at it from a security researcher stand-point. There is nothing
interesting about user-interaction, and it is even kind of lame.

From a reasonable perspective, we refuse to believe people will act so

.. 
silly.

prediction and that we should be very concerned with this.  Given the


Not predicting, assessing.

Criminal elements have a very clear cost/benefit calculation. For
example, they won't release a 0day such as WMF or ANI as long as their
revenue goals are met with published ones. They collect statistics on
OS, browser, language, which exploit got how many, etc.

They have thousands on thousands of sites infecting users who surf (some
of them ad-based on real sites, or defaced sites such as forums that
remain with the same content only now infect people). Then there is also
spam directing people to these sites.

Now, a criminal gang (could be the mob could be one guy) targets the
mac. 
So much so that they serve different malware by OS-type.

As a security researcher looking at code, bits and bytes, you are simply
not usually following what's going on in operational security where
things are bleak.

From an operational security standpoint, this equates to what happened

in the world of the Internet back when Windows 98 was around. Not what
security features it had.

requirements here, that again being flagrant ignorance where all the 
above steps are executed (including the explicit admin part)-- what 
exactly are we supposed to do?  If people are willing and able to go 
through the motions above what can we as security people do to prevent

it?  Far too many people in this industry are far too quick to point 
out how desperate the situation is at all turns, but I don't see many 
people offering real solutions.  But you know, I have to say...  If we

are


Things are in fact FUBAR. We need new ideas and new solutions as
honestly, although we want to feel we make a difference by taking care
of this or that malware or this and that C&C we are powerless and have
not made a real difference in the past 6 years while things got worse.

We need new solutions and new ideas, and would be more than happy to
have new people exploring operational security.

The current state of Internet security is you get slapped -- BAM! -- and
you write an analysis about it. (when speaking at ISOI I actually
slapped myself -- HARD -- when I said it on stage, not a good idea for
future reference).

really going to consider this "serious," and we are really going to 
define part of our jobs as being responsible for stopping people who 
have absolutely no concerns for what they do and are willing to enter 
their admin credentials into any box that asks for it, then I'd say 
that there is a *serious* misunderstanding about what security is, and

what can be done about it-- either that, or I'm just in the wrong

business.


Well, we can't choose the risks. They choose us. Sometimes they are
cool, sometimes they're not.

I often start emails by saying "first off, this is not the end of the
world, the Sun will rise tomorrow and the Internet won't die today". I
tire of it. Of course the Internet won't die today, but it is Mac
season.

Apple is very much correct by not investing in security first until now
-- from a BUSINESS standpoint, however much we as security people in our
niche can't get behind it. Things are different now and unfortunately
they have a backlog to deal with.

        Gadi.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: mac trojan in-the-wild, (continued)
- - - Re: mac trojan in-the-wild reepex (Nov 02)
    - Re: mac trojan in-the-wild Simon Smith (Nov 02)
    - Re: mac trojan in-the-wild Dude VanWinkle (Nov 05)
    - Re: mac trojan in-the-wild Paul Schmehl (Nov 05)
    - Re: mac trojan in-the-wild Roger A. Grimes (Nov 01)
    - Re: mac trojan in-the-wild Thor (Hammer of God) (Nov 01)
    - Re: mac trojan in-the-wild Jay Sulzberger (Nov 01)
    - the heart of the problem [was: RE: mac trojan in-the-wild] Gadi Evron (Nov 02)
    - Re: [funsec] the heart of the problem [was: RE: mac trojan in-the-wild] Drsolly (Nov 02)
    - Re: [funsec] the heart of the problem [was: RE: mac trojan in-the-wild] yiri (Nov 02)
    - Re: the heart of the problem [was: RE: mac trojan in-the-wild] Roger A. Grimes (Nov 02)
    - Re: mac trojan in-the-wild Roger A. Grimes (Nov 02)
    - Re: mac trojan in-the-wild David Harley (Nov 02)
    - Re: mac trojan in-the-wild Peter Besenbruch (Nov 01)
    - Re: mac trojan in-the-wild Paul Schmehl (Nov 01)
    - Re: mac trojan in-the-wild Peter Besenbruch (Nov 01)
    - Re: mac trojan in-the-wild Paul Schmehl (Nov 01)
    - Re: mac trojan in-the-wild David Harley (Nov 03)
    - Message not available
    - Re: mac trojan in-the-wild Peter Besenbruch (Nov 05)
    - Re: mac trojan in-the-wild Robert McArdle (Nov 02)
    - Re: mac trojan in-the-wild Robert McArdle (Nov 02)

(Thread continues...)