Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
298 posts

Ultimate Geek
Inactive user


  Reply # 68043 21-Apr-2007 21:11
Send private message

Just for clarity.

 The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.

...the first box required a flaw that allows the attacker to get a shell with user level privilages. The second box, still up for grabs, requires the same, plus the attacker needs to get root.

And for a laugh 

 “It took $10,000 to break a Mac, but people break Windows machines for free every day!”



BDFL - Memuneh
61185 posts

Uber Geek
+1 received by user: 11968

Administrator
Trusted
Geekzone
Lifetime subscriber

Reply # 68047 22-Apr-2007 06:52
Send private message

Don't get it? It's proven it can be done. That's the point. If the economics of doing it is so low that crooks won't do it in the field, that's another thing.

Surfing to an "infected" web page? Users do this all the time around the world. Not impossible at all that Mac OS users are no smarter than other and wouldn't do it.

Also, of course the attack requires a flaw. That's how it works most of the times. People notice "flaws" and use that to break in. Or have you not noticed that Apple released patches for 25 flaws in March and for 65 flaws in April?

And the money? Well clearly people don't want to invest time in breaking into Mac OS machines because of the numbers. How much effort is needed to find cheap development resources to create malware for Mac OS when you cvan get almost free development for Windows? This is because of the market penetration.

Still feeling safe?






128 posts

Master Geek


  Reply # 68053 22-Apr-2007 11:32

freitasm: Still feeling safe?


Safer than I feel using Windows, yes.


4310 posts

Uber Geek
+1 received by user: 152

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 68061 22-Apr-2007 12:34
Send private message

Actually you are just as safe using Windows if you are smart.

643 posts

Ultimate Geek


Reply # 68065 22-Apr-2007 14:06

freitasm: How much effort is needed to find cheap development resources to create malware for Mac OS when you cvan get almost free development for Windows?


The (official) Xcode developer tools for OSX are free, which is better than what can be said about Visual Studio prices. So the possibility of OSX malware being written is very real.

Apple/Mac users don't need to be vigilant, smart or spend big bucks on anti-spyware apps (and etc) to be safe online, I think thats the big difference. At the bottom line OSX is safer either by design or obscurity, take your pick Tongue out




Sniffing the glue holding the Internet together

4265 posts

Uber Geek
+1 received by user: 72

Moderator
Trusted
Lifetime subscriber

  Reply # 68066 22-Apr-2007 14:22
Send private message

I dont think anyone needs anti-spyware apps etc, it all depends on what sites you visit and what you blidly install.


On my vista PC ive been running it unprotected, defender has been disabled, for the last month with no problems what so ever :)

People just need to get a licence to use a PC :p

298 posts

Ultimate Geek
Inactive user


  Reply # 68067 22-Apr-2007 15:08
Send private message

freitasm: Don't get it? It's proven it can be done. That's the point. If the economics of doing it is so low that crooks won't do it in the field, that's another thing.


What I don't get is how you can say "only hours after a contest was launched".

I never once said it couldn't be done, so what's your point?

Surfing to an "infected" web page? Users do this all the time around the world. Not impossible at all that Mac OS users are no smarter than other and wouldn't do it.

Also, of course the attack requires a flaw. That's how it works most of the times. People notice "flaws" and use that to break in. Or have you not noticed that Apple released patches for 25 flaws in March and for 65 flaws in April?

And the money? Well clearly people don't want to invest time in breaking into Mac OS machines because of the numbers. How much effort is needed to find cheap development resources to create malware for Mac OS when you cvan get almost free development for Windows? This is because of the market penetration.


All of my quotes came from other sources and were posted for clarity on both the time frame (as yours was deceptive) and as much detail of the exploit as I could find. - Even the joke isn't mine, hence both the quote box and the "".

Still feeling safe?


Yes, there is nothing to suggest it affects Firefox.


I hope that helps you understand now

278 posts

Ultimate Geek
+1 received by user: 7

Trusted

  Reply # 68069 22-Apr-2007 15:26
Send private message

Just for clarity, from Daring Fireball:

Thomas Ptacek has the scoop: Dino Dai Zovis winning exploit in the CanSecWest contest involves Java. It is not specific to Safari; Firefox and, I presume, Camino are also vulnerable. Turning off Java in your browser should defend against it.

No word if it's specific to Mac OS X, Intel or PPC...





87 posts

Master Geek
+1 received by user: 14


Reply # 71796 22-May-2007 23:18
Send private message

@ lokinz - I'm not so sure that Firefox is any safer - the flaw was not unique to Safari.

The flaw is in Java - and so affects Windows machines as well as Macs... and of course FF too.
see here: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1252605,00.html

I've seen the opposing views about the security of Macs vs. PCs.  I do own and use both types of computers which is good.
I agree with some of the comments made here.

Windows machines can be just as safe (but are still vulnerable to the flaw used in this attack) if the user does the right things.
Unfortunately in the real world not everyone is very computer savvy or smart.

There are things that Mac users can do to make themselves more secure than the standard settings too - and I would bet that a very small percentage of Mac users actually know that.
Mac vs. PC arguments are just a waste of time.
I prefer using my Mac compared to my PC - things are just easier to do, and it seems like more fun. (And remember - it's just a preference - I still LIKE both of them)
PC users shouldn't really criticise unless they have used a Mac for a decent period of time - and ACTUALLY know.
Mac users shouldn't spout Apples marketing while sounding smug - despite how they feel about their machines.



BDFL - Memuneh
61185 posts

Uber Geek
+1 received by user: 11968

Administrator
Trusted
Geekzone
Lifetime subscriber

Reply # 72396 27-May-2007 14:38
Send private message

Please patch your Mac OS systems:


"Apple has released fixes for 17 OSX vulnerabilities, ranging from system takeover to denial-of-service attacks. It was the fifth security update released this year. It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project. Today's update pushed Apple's year-to-date patch total to over 100. More than one of the affected flaws were called 'critical' or 'dangerous'."






122 posts

Master Geek


  Reply # 72446 28-May-2007 06:31
Send private message

CrispinMullins: I say Apple Mac OS X is not *as* vulnerable, and I base this mainly on the economics of the hacker who wants to make as big a splash

CrispinMullins: Security by obscurity (which is essentially what we're talking about) is but one piece of the puzzle, and nobody should rely on it. But it has its merits.

I would argue that massively popular, targetted software has more security than an obscure system. From the Apache website - "Apache has been the most popular web server on the Internet since April 1996. The November 2005 Netcraft Web Server Survey found that more than 70% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined.", so - IIS is more obscure than Apache, therefore Apache is more insecure than IIS? Without starting a flame-war, I'm sure many webmasters would respectfully disagree with you.

freitasm: However most of the malware installed on a Windows-based PC is not installed silently, but because some dumb user was tricked into opening an attachment or downloading and installing an unknown file.

Exactly. It may be that the malware 'enconomy' is not governed by the software, but the end user. Windows has strived (and largely succeeded) in securing the layman market. How many laymen are running OpenBSD? Gentoo? Of course, Ubuntu linux is making strong inroads into this demographic (now available preinstalled on Dells, school installations etc). What will be interesting in the coming years is to see how Ubuntu stands up security wise. For arguably the first time we have a free, well-known, reliable linux distro that my gran could install.

freitasm: Blame the developers who are stupid enough to require their software to run as Administrator because that's how they developed and tested without even thinking of having a second machine (or virtual machine) to test it as a normal user.

Everyone blames the developers *mumble*. On a serious note though, I've seen some major weaknesses in this vein. Applications that require the infamous 'sa' password to operate (and then store it, plaintext, on the client-side). These weren't fly-by-night small companies either, but enterprise grade applications. There's no excuse for this kind of practice, although it's often (PHB) management's fault for pushing poor (but fashionable) technology, setting unrealistic deadlines, fostering a 'who cares - so long as it does the job' attitude & overworking development staff rather than developer stupidity.

128 posts

Master Geek


  Reply # 72450 28-May-2007 07:28

rwales: I would argue that massively popular, targeted software has more security than an obscure system.


I think what you mean is that the more attention a given piece of software receives from hackers, the more likely it is that a larger percentage of existing vulnerabilities will be found, the right people notified, and the vulnerabilities removed.

But how does that detract from the reverse equation, which is that the less attention a given piece of software receives from hackers, the less likely it is that vulnerabilities will be discovered at all, by anyone? To my mind, both ring true. And security is not about the number of vulnerabilities that exist, but rather the likelihood that vulnerabilities will be found and exploited.

The November 2005 Netcraft Web Server Survey found that more than 70% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined.", so - IIS is more obscure than Apache, therefore Apache is more insecure than IIS?


IIS has a market share of about 30% at the moment. That's a bit of a stretch when it comes to obscurity.

C.Mullins
On tour



122 posts

Master Geek


  Reply # 72454 28-May-2007 08:16
Send private message

I think what you mean is that the more attention a given piece of software receives from hackers, the more likely it is that a larger percentage of existing vulnerabilities will be found, the right people notified, and the vulnerabilities removed.

Yes, that's what I mean. The more scrutiny a system gets, the more holes will get fixed, the less holes will ultimately exist at the end of the day.

But how does that detract from the reverse equation, which is that the less attention a given piece of software receives from hackers, the less likely it is that vulnerabilities will be discovered at all, by anyone? To my mind, both ring true. And security is not about the number of vulnerabilities that exist, but rather the likelihood that vulnerabilities will be found and exploited.

In the 'obscure' system, holes exist and are not exploited due to 'less attention'. In the scrutinized system, holes are exploited and fixed leading to a system with less holes. Follow the trend to conclusion. What happens when hackers can no longer exploit the scrutinized system? What happens when there's more (and easier) money to be made elsewhere? The attention will shift. Hence, security through obscurity is no security at all. In a different analogy, even the most remote, 'top-secret' military installation will still have guards. Without them it wouldn't be secure.

IIS has a market share of about 30% at the moment. That's a bit of a stretch when it comes to obscurity.

I was taking the extreme to clarify the argument. Even so, Apple sold more than 1.3 million Macs in the last quarter of 1999 [macfacts]. Hardly the picture of obscurity either.

128 posts

Master Geek


  Reply # 72456 28-May-2007 08:37

rwales: What happens when hackers can no longer exploit the scrutinized system?


Um, they look for new vulnerabilities in the said system? Remember, there are no known Mac exploits in the wild...

What happens when there's more (and easier) money to be made elsewhere? The attention will shift. Hence, security through obscurity is no security at all. In a different analogy, even the most remote, 'top-secret' military installation will still have guards. Without them it wouldn't be secure.


The analogy is correct, but I fear it's an inappropriate analogy: Despite the obscurity of the vulnerabilities in Mac OS, it continues to come with a firewall as standard and a permissions system that works, for example. But as a single piece of the puzzle, security by obscurity has its merits.

I was taking the extreme to clarify the argument. Even so, Apple sold more than 1.3 million Macs in the last quarter of 1999 [macfacts]. Hardly the picture of obscurity either.


1.3 million firewalled Macs vs. god knows how many unprotected Windows machines -- that IS the picture of obscurity! And we all know which way the hackers have gone. As I say, no known Mac exploits in the wild (yet).

C. Mullins



122 posts

Master Geek


  Reply # 72462 28-May-2007 09:18
Send private message

The analogy is correct, but I fear it's an inappropriate analogy: Despite the obscurity of the vulnerabilities in Mac OS, it continues to come with a firewall as standard and a permissions system that works, for example. But as a single piece of the puzzle, security by obscurity has its merits.

The argument is obscurity versus prominance. Fundamentally, OS X is a good, secure system (based on decades of tried & tested *nix). However, obscurity is *not* what makes it secure.

1.3 million firewalled Macs vs. god knows how many unprotected Windows machines -- that IS the picture of obscurity!

It's all about economics. 1.3 million machines would be very much worth my time to compromise - and that's just what was sold in 1 quarter. If I get a buck for the raft of adverts I can put onto 1.3 million machines, that's a quick 1.3 million bucks, or just under a *lifetime* of commerical development. Can you imagine what a zero day exploit of OS X would be worth? A group of security researchers found 62 vulnerabilities in 3 months. You must be grateful they weren't tempted by the lucrative sums of money offered by spam peddlers for access to virgin desktops?

And we all know which way the hackers have gone.

So far. No guarantee where the future will take them.

As I say, no known Mac exploits in the wild (yet).

Indeed.

I have a lot of respect for Darwin/FreeBSD (although I prefer OpenBSD personally). In fact, to quote from OpenBSD's press page, "security through obscurity" is "the myth that just won't go away".

1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.