another reason to use adblock and noscript... or just use Linux

Benjamin Scott dragonhawk at gmail.com
Wed Mar 24 13:48:23 EDT 2010 

On Wed, Mar 24, 2010 at 12:23 PM, Greg Rundlett (freephile)
<greg at freephile.com> wrote:
> Of course, you can just run Linux and you're system won't be vulnerable to
> most if not all such 'scareware'.

  For now.  Right now, the attackers go after Windows, because 90% of
the users run Windows.  (With a higher percentage of easily-duped
users.)

  If Linux or MacOS or AmigaOS had a huge market share, we'd see the
same attacks on them.

  "Security is a process, not a product."  -- Bruce Schneier

  One thing we get hit by occasionally at $WORK is fake anti-virus
software.  This stuff uses an animated GIF that appear as a fake
"window" which says you have a virus, then prompts the user to click
to "repair".  That click downloads an executable which they then track
down and run.  Which then puts more fake messages on their screen.
For us, remediation is at least limited to deleting stuff from their
user account, because nobody has admin rights, but it's still a pain.

  All that could happen just as easily on Linux or MacOS, or Firefox
or Chrome or Safari.  I like to joke that the executable could be
named "For God's Sake Don't Fucking Run This.EXE", and people would
still click on it.  At least, I think I'm joking.

  True, less restrictive software/settings can make it much worse by
adding pop-ups, prompts, hiding the browser toolbars, etc., and
needing fewer clicks to get run that executable.  And browsing as a
privileged user is suicide, of course.

  We try to block executables from being downloaded, but attackers
have started obfuscating URLs and using SSL, so our firewall doesn't
see it.  My next counter-measure is going to be Software Restriction
Policies -- akin to mounting /home and /tmp with "noexec".  The MS
Windows ecosystem, being the steaming mess that it is, makes that a
big compatibility headache, but that's nothing new.  I've said for
years it isn't that Linux is inherently more secure than MS Windows,
it's just *much easier* and thus *much cheaper* to make secure than MS
Windows.

  But most organizations aren't willing to go to such lengths to
secure their systems, regardless of platform.  At least, not yet.

> But, for those who must use Windows, it's another reminder to use
> better browsers (e.g. Firefox and Chrome) with additional privacy
> and security elements (e.g. adblock and noscript).

    As Tom Buskey points out, your typical user will simply never put
up with the kind of inconvenience that blockers introduce.  I use them
and I find them to be a huge pain in the ass, and I'm a paranoid
control freak.

  Probably the best defense we can hope for is stronger sandboxing of
the browser, with things like SElinux or Microsoft's "Mandatory
Integrity Control" used to lower the privilege level of *everything*
done in or by or from the browser.  Go ahead, download that malware
executable.  Since the executable was written by a lower privilege
process (the browser), the executable itself will run with a lower
privilege level, and can't touch regular user areas.  This should at
least make drive-by-downloads harder.

  The problem is there will always be a way to add another layer which
the OS can't see and a luser is willing to employ.  Example: Put the
malware in a ZIP file.  ZIP file is seen as data by the OS.  The
"unzip" program is trusted and runs at normal user privilege level.
It opens the ZIP as data and copies out the executable, writing the
file as the normal user privilege level.

  One could try and counter that by causing all file I/O done with a
lower privilege file to "taint" the privilege level of the process
doing the I/O.  But people want to exchange documents and data with
each other via email and web.  (And I don't blame them; why have a
network if you're not going to use it?)  If all the data has a lower
privilege level, you're not really protecting anything anymore.
(Remember: The computer is a tool.  The reason we secure the OS is so
the OS can keep protecting the data.  We don't secure the OS for the
sake of having a secure OS.)

  Ultimately, the only real solution is better user awareness, and I
don't hold out much hope for that.

> http://news.idg.no/cw/art.cfm?id=2A32DD2B-1A64-6A71-CEBCE1F83973D7CA
> ... it boils down to way too much work that regular users won't do ...

  Exactly.

> ...it downplays the advantages of switching to Mac, and it certainly
> doesn't go far enough in that it doesn't even list switching to Linux
> as an option.

  Sure it does: "The same goes for Linux as well: A scam run past
someone using Firefox in Ubuntu is still a scam by any other name."

  That's right after the part about MacOS and "Most dangerous of all,
though, is a false sense of security: users can be duped no matter
what they're running."

  I'd say their analysis aligns with mine.

  Sorry to be a stick in the mud, but security is hard work, and most
people don't like hard work.

-- Ben

More information about the gnhlug-discuss mailing list