Results tagged “Security” from The Hardware is Not Enough

There have been some dumb arguments floating around the web on various sites, ever since the first of the new Mac 'viruses' appeared on the scene, but this one takes the biscuit. Essentially, goes the argument, since any malware that affects a Unix system such as OS X will be capable of deleting all your personal files, Unix security is as poor as Windows'.

What would the solution to that be then? Presumably stopping a user from deleting their own files.

Dear oh dear.

Information Week has posted a story arguing that Windows is more secure than other operating systems. It uses the CERT security advisory, which lists three times as many vulnerabilities for Linux, Unix and the Mac OS as Windows, as 'proof'.

It strikes me there's an almost cognitive dissonance going on here. While the world is still reeling from the Windows Meta File vulnerability, we're expected to believe that Linux, Unix and the virus-less Mac OS are more insecure than Windows. Don't trust the evidence of your own eyes, believe the lies of these stats.

The Information Week article lists a number of reasons why the stats shouldn't be taken at face value; one reason is that Linux, Unix and Mac OS vulnerabilities are lumped together. Looking just at Mac vulnerabilities gives you a little over 25.

But no mention is made of how important these vulnerabilities were: is the ability to crash a program as important as a privilege escalation bug that can compromise the whole system? And no acknowledgment is made that a vulnerability without an exploit is only a theoretical vulnerability at most.

Equally, breakdowns on vulnerabilities in core packages versus peripheral packages is an important factor. Unix, Linux, the Mac OS and indeed Windows are composed of thousands of different programs, some of which may never be used. A vulnerability in the Windows fax software is never going to be as important as a vulnerability in Internet Explorer. On the Unix and Linux side, so many packages are optional installs that many of the supposed vulnerabilities would never exist in the vast majority of systems.

So remember to read the stats rather than the headlines. Count the actual Windows viruses and Trojans, then count the Unix/Mac/Linux ones. Which would you rather face: 2,300 theoretical vulnerabilities, only a small proportion of which could ever affect you, or the 800 or so vulnerabilities of Windows, most of which have exploits in use in the wild today?

Vista's not out yet but Windows XP Home will be obsolete after December 31. That means no free security updates for anyone with XP Home. With a devastating Internet worm infecting PCs right now, Microsoft will have to reverse this policy or have to face the fact that its Secure Computing initiative has all been for nothing: 'Microsoft' and 'insecure' will continue to be synonymous.

Here are some fun tales of computer security that have been posted on the Mac OS X Server mailing list recently:

“I was doing an audit once for this company and I asked them the question, ”What do you feel is your most secure system?“ The guy that I was interviewing quickly said, ”that is easy, the one over there,“ as he pointed to a server that was dismantled and lacking a drive or RAM. I had another client that I was auditing that had this pair of wire snips in a glass case mounted directly over their primary NAP with a sign that read ”In Case Of Hack Break Glass and Cut Red Wire!“”

“This was back in the days when computers had keyboards which were part of the computer box: you couldn't just unplug the keyboard and plug another one in. The client pointed to an Apple II and said 'The password has a 'y' in it. The 'y' key on that keyboard is broken.'”

“There was a study done a couple of years ago by the DoD that actually assessed how easy it would be to get information out of users by bribery and the results were interesting. The least amount of work was a Mountain Dew and hot dog with the most being $10,000.”

Technorati Tags: Macs, security

An article on The Register by Security Focus suggests that Macs are a potential security nightmare for enterprises. Now, to a certain extent, this is all just FUD - confessed FUD since the issuers of the security warnings admit they're doing it to make people sit up and think about future issues. Reading through the article there are hints that people don't quite understand Macs and Mac security: why worry so much about firewall-less Macs on corporate networks, particularly when there are no ports open by default on a Mac that would need firewall protection?

Similarly, arguments that while there are viruses and exploits for Linux and Windows and there aren't on Macs, that's because the Mac marketshare is so low, don't really wash. After all, Linux marketshare is no better than Mac marketshare so should be targeted as little. The article also takes little account of permissions and the administrator verification requirement needed to do anything desperately evil on a Mac.

The citing of a root kit for OS X in the article also shows that the Mac is a target, but since the root kit hasn't broken out into the wild and it has no propagation mechanism, it clearly is far harder to exploit Mac vulnerabilities than it is to exploit Windows vulnerabilities.

Nevertheless, no computer is 100% secure and putting blank and easily guessable passwords on administrator accounts is going to leave you with a compromised machine sooner or later. So don't be complacent, but don't listen to all the FUD.

Technorati Tags: Macs, security

A group of the major browser developers had a meeting recently, to decide the best ways of improving both the security of the browsers and the way they represent that security. There's a report of the meeting from one of Konqueror's developers, which suggests that Mozilla, Konqueror, Firefox, IE and Opera are all going to get the same similar interface for displaying the security of particular sites. Microsoft's IE blog has further details and screenshots of how IE 7 has already been changed to incorporate those ideas.

Technorati Tags: browsers, Open source, security, web development

The thing about having your own server is that it's available for all the Internet to see. That means people trying to break in.

This server, for instance, currently has two kinds of people trying to break in. There's a few people running random attempts to ssh in. They're guessing accounts and failing miserably.

But then there's another kind. They trying to access files via other methods. What's intriguing about them is they've guessed quite a few accounts on here, some quite obscure - not the standard names you'd find in a dictionary. That kind of hints they're cleverer. Maybe they've used OpenLDAP to guess them; maybe they've parsed the text on my site to guess them; maybe they've even read a couple of my tutorials and gleaned the account names from them. But it does imply a level of intelligence, rather than automation.

Anyway, I've changed the accounts or disabled them and doubled the password lengths, so that should set them back a bit. I'll consider modifying my firewall rules to stop access to specific services outside the local network (a pain but it should be helpful if they're using LDAP to get the accounts lists).

Soon, though, I'll be relocating all my web sites, mail server, etc to a new host (finally found one that, while it didn't explicitly state it supported MovableType, does have all the required Perl modules installed) so those worries will be a thing of the past. More importantly, it will mean I can finally turn my iMac off at nights. This is A Good Thing because it will reduce…

Technorati Tags: hackers, security, servers, site migration, web hosts

Interesting article in the latest New Scientist about the possible malware of the future: viruses that affect quantum computers.

Just installed yesterday's Security Update and now my iPod photo won't show up in iTunes, which now demands I reset the whole thing. Fingers crossed I won't have to, given my FireWire problems make back-ups hard to do these days. I'll wait and see whether anyone else reports the same issue.