[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] mac trojan in-the-wild -- antair restored
- To: "thor@xxxxxxxxxxxxxxx" <thor@xxxxxxxxxxxxxxx>, "Bugtraq mailing list" <bugtraq@xxxxxxxxxxxxxxxxx>, "Full Disclosure" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] mac trojan in-the-wild -- antair restored
- From: gjgowey@xxxxxxxxx
- Date: Fri, 2 Nov 2007 21:20:02 +0000
Apologies for the cut off posting (antair did it), but I have a few ideas that
I've yet to see mentioned anywhere. Maybe they exist already under a different
name, but here's my two cents in how to fix this mess.
My approach is through the implementation of multiple mechanisms in the os.
1) any file (executable, library, registry entry) that needs to be overwritten
for an upgrade should be done in such a manner that the original is recoverable
(ala subversion/cvs recoverability). This should be monitored and enforced by
the os. Windows sort of gets this right with system restore, but there's no
advanced menu to allow for a more granular selection of what's to be restored
and that's problematic at best.
2) each program should be executed in separate environments that have roll back
and security capabilities not just disposability. This is sort of an extension
of what sandboxie does and then some. By security capabilities I mean
preventing being able to fine tune the read/write access to certain directories
so that if I want to wall off certain directories in my documents from say ie
then I can do so. Currently sandboxie does not offer any granular security
controls just disposability.
The roll back feature would be to allow modifications to occur in each
segregated environment, but have the capability to roll back changes of an
individual environment without requiring a full system rollback. This would
allow a damaged environment to be restored without disturbing the whole system.
Obviously I have drawn on sandboxie heavily here and for good reason. Neither
chroot, selinux nor anything else that I've seen allow applications to run in
the native environment with access to the native executesbles and other files,
but puts up a transparent barrier between the running program and actually
modifying pre-existing files. Ideally, the operating system its self should
have all the above features.
The strategy du jour seems to be that users should have a good back up strategy
and be prepared to completely reinstall when something breaks which simply
isn't feasible for the majority of the population of computer users. Isn't it
time that we have an os that takes a different approach to read/write access,
security, and backing up? Total unmitigated read/write access where one rogue
program can sink a whole system or send your confidential information all over
the internet is the real problem. The current security model of access
controls is simply inadequate for todays dynamic environment.
The problem with the security model that presently exists is that it stems from
the unix era when programs were not loaded on by the tonage and what was loaded
on didn't change often. All that was of concern was what data the users could
access with the pre-loaded programs on the system. With todays systems it
simply is not like that anymore as todays home user is not the grizzled systems
administrator of old. Time for a new approach that melds recoverability with
security is what I say.
Geoff
Sent via BlackBerry from T-Mobile
-----Original Message-----
From: gjgowey@xxxxxxxxx
Date: Fri, 2 Nov 2007 20:24:45
Subject: re: mac trojan in-the-wild -- antair restored
That's an interesting figure (86% that is). Can you give us some
insight into what you define as "user interaction"?
If it is clicking a link or reading an HTML email, then OK. If it is
opening an .exe from an email, I'd like to see what client you are
talking about and what environment (meaning, what OS/email client and
what did they have to do to get it to run). But specifically, how many
were exploits where a user had to visit an untrusted site, download an
executable, run it, and explicitly give it administrative credentials to
run? Not just people running as administrator, but typing in the admin
account credentials to run it as administrator as one has to do on OSX?
My guess (and I'd really like to see details on your findings) is that
most "interactive" issues are the more "trivial" interactive issues
(like clicking a link and launching a vulnerable version of IE).
But more importantly, let's look at things from the other side. Let's
say I'm wrong, and that Gadi is right on target with his "hit hard"
prediction and that we should be very concerned with this. Given the
requirements here, that again being flagrant ignorance where all the
above steps are executed (including the explicit admin part)-- what
exactly are we supposed to do? If people are willing and able to go
through the motions above what can we as security people do to prevent
it? Far too many people in this industry are far too quick to point out
how desperate the situatio
Sent via BlackBerry from T-Mobile
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/