Saturday, October 28, 2006

Purpose of a firewall

Periodically, I see statements like "firewalls are useless" or "firewalls are dead". (Or IDS, or antivirus, pick your favorite security product category.) Does that mean you no longer need a firewall? Of course not. What it really means is a couple of things; One, a firewall is such a obvious requirement that it is just a given. And two, client-side holes are exploited so frequently that firewalls are not considered to contribute significantly as a preventative measure anymore.

Allow me to remind everyone what the purpose of a firewall is. A firewall exists so that you can do something risky on the protected side. That's it. You want to use Windows networking? You want to use cleartext protocols? You want to use enterprise software? (Or is that Enterprise Software.) Then you do that kind of thing behind a firewall.

If the systems, software, and protocols were hardened enough that they could be on a bare Internet connection, you wouldn't need a firewall. But I've never seen a company that didn't use at least one piece of software that couldn't make that cut. So they have a firewall.

Firewalls exist so that you can do risky things on the protected side.

Monday, October 23, 2006

Microsoft vs. McAfee & Symantec

I write for the Windows Secrets newsletter. Usually, you can only see my articles if you're a paid subscriber. Every once in a while, I end up writing a special update, or the featured article. Meaning, you can read them for free. I figure if you read this blog, then you probably have some interest in my writing.

This article is my take on the whole debate about Microsoft locking vendors out of the Vista 64-bit kernel.

Saturday, October 21, 2006

Nicolas Brulez analyses a virus

Nice example of a virus/bot analysis by Nicolas Brulez at Websense:

http://www.websense.com/securitylabs/blog/blog.php?BlogID=91

Has some good IDA Pro tips. Nicolas is a really good reverse engineer. He taught me the proper way to unpack a file, and helped me give a presentation at the first RECon.

RSS Feed

I suspect that no one has as of this writing, but if you've subscribed to my blog with the default Blogger Atom feed, I would appreciate if you switch to my Feedburner one. You can see it in the upper-right if you're reading this in a browser, or use this link:
http://feeds.feedburner.com/Ryanlrussell .

This is so I can keep track of you if you read this via RSS. I've also added a Site Meter counter. I'm pretty new to Blogger. If I screwed up something, please let me know.

So what's up with Digg?

First thing: I am an utter newb when it comes to Digg.com. So a lot of this post amounts to stupid user questions. But hey, maybe I'll get some answers. I did try to do some searching, but the sheer volume of "digg" hits with any given keyword makes this somewhat challenging. The voume is one of the things that makes Digg useful, but I normally read it through an RSS feed.

Yesterday, I was in a debating mood. So I waded into a Mac security discussion on Digg, here:
http://digg.com/tech_news/Mac_attacks_rare_but_rising
This is me on Digg:
http://digg.com/users/ryanlrussell/dugg
(And no arguement from me that the original article there is inflamatory and inaccurate. I wanted to argue with the people who don't know the difference between threats and vulnerabilities, and so think the lack of threats mean there are no vulnerabilities.)

A few brief observations. First off, tons of Mac fanboys who aren't particularly knowledgeable about security, but have a lot of blind faith. No surprise. If I make a post to the contrary, give a counterexample, or ask someone to explain their position, it gets dugg down. Also no real surprise, I've seen this happen before with other users. But I find the volume and consistency of that behavior interesting. It appears that if you don't like or don't agree with someone's post, you give it a negative digg. Well, I don't, at least not yet. If you're discussing something , simply shouting down the other person is pointless and rude. But I see that that is how it works. I'm guessing it's gameable, too? By just simply having multiple accounts?

I see that as broken. And this is from the point of view on a longtime Slashdot user. Sure, I'm used to seeing unpopular opinions modded down on Slashdot in a similar fashion. But not nearly to the same degree. Why is that? Because Slashdot has caps on both mod points, and how high or low something can be modded? And most people don't get mod points often? Because you have to supply a reason for the moderation (interesting, flamebait, etc...)? Because you can see someone's ID number, and can tell how long they have been on Slashdot? Because you can't both moderate and participate in the same discussion? I'm not sure, probably some combination of those and other factors I haven't observed.

I will throw one opinion out there, that it's probably a bad idea to simply give people an infinite supply of anonymous red buttons to shout down someone they disagree with. Especially if those buttons don't obviously represent some objective quality of the post in question.

Now, some regular bugs/questions/feature requests:

  • Why aren't discussions threaded? Why, in order to reply to a particular comment, do I have to go find the parent to the whole thread? Then I probably have to click "show comment" because it was dugg down too far. Then click reply. Then scroll all the way back up and find the post I wanted to reply to. Then manually copy the person's username into my post to show which person I'm replying to. Then cut-and-paste the text I want to quote. Doesn't seem very Web2.0y. How about if there's just a "reply" button on every post so that it's clear who I'm replying to, and it could even autoquote. You know, like every email client for the last 20 years.
  • How do I know when a discussion I'm participating in has been responded to? Part of this is related to the previous threading issue, I'm sure. It's hard to track who is talking to whom, when the discussion is almost entirely flat. So, fix that, and then give me the option of getting an email when someone responds to me. Or at least a link somewhere on the site where I can see new responses I haven't viewed yet. Where's my "subscribe to this thread" button?
  • There's no way for me to link to a particular comment?
  • When digging stories, I can filter by particular topics and properties of the sumissions (age, popularity, etc..) How do I filter out the ones I've already dugg?
  • Where is Digg's todo/upcoming features list?
  • Where the bug database for Digg, so I can see if these things are known or have been requested?
I'm not just trying to complain. Some of these things must have simple answers, and if someone would supply those for me, I would appreciate it. I have tried to do some searching, but "digg" and any keyword you can think of will simply pull up a list of stories that have been linked from Digg for that topic. There needs to be a keyword that indicates that it's about Digg itself, "metadigg" perhaps.

And, naturally, I have dugg this blog entry, so I can see some of the rest of the proccess, and maybe some answers to my questions. If you diggers do end up coming and helping me out, then I thank you in advance.
http://digg.com/design/Some_observations_on_Digg_from_a_newbie

OS X Malware

Just to be up front about it: Yes, this entry was created in the spirit of stabbing OS X zealots in the eye with a lit cigarette. Why? It drives me absolutely insane when people who clearly have no concept of how these things work insist that Macs can't get malware, don't have vulnerabilities, or have some magic security model. Yes, I realize trying to educate someone like that is masochistic. However, I wanted to have a more convenient place to point to when some clueless Mac fanboy says "show me even one virus for OS X!!".

I don't care to claim that the problem of malware on OS X has in any way reached significant levels. Nor am I trying to say that it is immanent. I do mean to say that is it not non-existent, and that it is certainly not impossible that it could happen.

So I'm going to try to maintain a list. I'm doing "malware" here, not exploits nor vulnerabilities. For my purposes, that includes viruses, trojan horses, worms, rootkits and spyware. I'm also going to limit this list to malware designed for OS X. There is a long list of macro/Office based stuff, things for OS 9 and below, and so on. Yes, I realize that some of it still probably works fine on OS X under the right circumstances.

Malware:
"Opener"
01Apr2004~22Oct2004
Rootkit
http://www.macintouch.com/opener.html

"osxrk"?
08Sep2004
Rootkit
http://freaky.staticusers.net/ugboard/viewtopic.php?t=13891

"Togroot"?
http://www.oreillynet.com/cs/user/view/cs_msg/72381

"WeaponX"
~05Nov2004
http://packetstorm.security-guide.de/filedesc/wX.tar.html

(Sony Rootkit)
~11Nov2005
Rootkit
http://www.tuaw.com/2005/11/11/sonys-drm-now-for-macs-too/

"Leap-A"
16Feb2006
Trojan/Worm
http://www.macrumors.com/pages/2006/02/20060216005401.shtml
http://www.ambrosiasw.com/forums/index.php?showtopic=102379
http://www.symantec.com/security_response/writeup.jsp?docid=2006-021614-4006-99

"Inqtana.A"
22Feb2006
Worm
http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0534.html
http://www.symantec.com/security_response/writeup.jsp?docid=2006-021715-3051-99
Source: http://www.digitalmunition.com/InqTana-ABC.tgz

"Inqtana.B"
22Feb2006
Worm
http://www.symantec.com/security_response/writeup.jsp?docid=2006-031413-1704-99
http://www.sophos.com/security/analyses/osxinqtanab.html
Source: http://www.digitalmunition.com/InqTana-ABC.tgz

"Inqtana.C"
22Feb2006
Worm
http://www.f-secure.com/v-descs/inqtana_c.shtml
Source: http://www.digitalmunition.com/InqTana-ABC.tgz

"OSX.Macarena"
02Nov2006
Virus
http://blogs.securiteam.com/index.php/archives/714
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-110217-1331-99&tabid=1
Source: http://vx.netlux.org/src_view.php?file=machoman.zip

Not malware:
http://apple.slashdot.org/article.pl?sid=06/09/16/182207
But I put it here for reference. This is to address the people who want to claim that malware would have to ask for your admin password. Not that there is any requirement that malware be root, of course. In the OS X security model, any admin user can write to everything in /Applications.

InqTana.D
http://www.digitalmunition.com/hacklu.html
According to the author, .D is no longer a worm, but is an autorooter. Unless I have time to look at it later and change my mind, it does not appear to meet my definition of malware.