David Overton's Blog and Discussion Site
This site is my way to share my views and general business and IT information with you about Microsoft, IT solutions for ISVs, technologists and businesses, large and small.  
Windows is now getting too difficult to hack, so the hackers sights are moving elsewhere, but that does not mean security is now easier.

I have heard many times how Windows is the big target for virus and phishing nasty people in general, but more and more people are showing that Windows is just too hard to hack when applications and other platforms offer so much more opportunity. 

From the article at eBay: Phishers getting better organized, attacking Linux Dave Cullinane, eBay's chief information and security officer said that in his previous job protecting a bank from phishers

"The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes. Rootkit software covers the tracks of the attackers and can be extremely difficult to detect. According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected. Although Linux has long been considered more secure than Windows, many of the programs that run on top of Linux have known security vulnerabilities, and if an attacker were to exploit an unpatched bug on a misconfigured system, he could seize control of the machine. "

In the same article it also mentions:

"We see a lot of Linux machines used in phishing," said Alfred Huger, vice president for Symantec Security Response. "We see them as part of the command and control networks for botnets, but we rarely see them be the actual bots. Botnets are almost uniformly Windows-based."

Since Linux machines can be used to more easily create specially crafted networking packets, they can be used in highly sophisticated online attacks, said Iftach Amit, director of security research with Finjan Inc.'s malicious code research center.

Now this might sound like a load of old "mine is better than yours", but there is much more to this.  Oracle, who on the whole don't make that many products, released their latest set of patches, just 51 this month - http://techworld.com/applications/news/index.cfm?newsID=10369&pagtype=all, compared to a much smaller set from Microsoft.  What is worth noting is the fact that the attack vector is moving from the OS to the applications sat on top of it.

One researcher event went as far as to say (http://www.infoworld.com/article/07/10/02/Security-researchers-look-beyond-Vista_1.html)

One well-known researcher who goes by the name Halvar Flake called Vista "arguably the most secure closed-source OS available on the market," in a blog post about BlueHat. "As a result I think that most of the security researchers will move on to greener pastures for a while. Why try to chase a difficult overflow out of Vista when you have Acrobat Reader installed, some antivirus software with shoddy file parsing, and the latest iTunes?"

Using social engineering and targeting other applications is now much more common place, for example Skype is dogged (http://www.infoworld.com/article/07/10/17/Trojan-imitates-Skype-steals-logins_1.html):

The program sends the victim's Skype credentials, as well as any other logins or passwords stored in Internet Explorer, to another server, wrote Villu Arak, a Skype spokesman based in Tallinn, Estonia, on a Skype blog.

Skype, the VoIP program owned by eBay, is frequently targeted by malware writers because it is widely used. Other attacks have focused on sending links to malware via Skype's chat function as well as worms.

This Trojan horse appears as an installer with Skype's logo and the name "65404-SkypeDefenderSetup.exe." Once the program is executed, users see a convincing Skype login interface, although the graphic for the "sign in" button is different from that of the genuine Skype application.

Hopefully through all of this you can see that Security was and is not about the OS, but everything on the computer, including the user.  People often ask why UAC is so vital in Vista - the answer is simple, because the user needs to learn to be aware that an application elevation is a risky business and should only be allowed when desired, expected and trustworthy.

Finally, good old Gartner has recently suggested that "broad" attacks need commoditized solutions to enable focus on more specific attacks and "inside out" rather than simply throwing barriers at the problems (http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9042699&intsrc=hm_list).

 

So, what does this mean?  Well, it means that applications and architectures still need to be designed with the thought that even if a compromise happens, it should not be able to weaken the overall system.  Less running as administrator or root is required, more partitioning and awareness.

 

That is it, I hope it was a bit enlightening.  There are no "answers" to security, just more learnings.

 

ttfn

David

Technorati Tags: , ,

Posted Wed, Oct 17 2007 11:33 PM by David Overton

Comments

Tim Long wrote Is Linux Really More Secure, or is it Just Less Obvious When Compromised?
on Fri, Oct 19 2007 4:22 PM

I was reading an article by David Overton , a Microsoft employee whose opinions I really respect. Of

Add a Comment

(optional)  
(optional)
(required)  
Remember Me?

(c)David Overton 2006-18