Slashdot Mirror

"I've been hearing "The only reason every Mac isn't infested with malware is that they're not a big enough chunk of the market for it to be worth the effort." for so many years the effect has worn off. Year after year - You know, it really gets old hearing that excuse. If that really is the case, I hope it continues." - by Cheech Wizard (698728) on Sunday February 27, @04:38PM (#35333006) Homepage

Ok then, explain this: Do pickpockets operate on "crowds of 1" only, vs. massive crowds of potential possible victims in crowded city streets, train or bus stations, or malls?

ANSWER = No, they do NOT!

Pickpockets (and yes, online criminals too) go where their efforts expended to "do the job" are most effective for the BEST "ROI" (return-on-investment), from a single method of attack (codebase in malware)!

(And, just like pickpockets? THAT is done by going where the MOST POSSIBLE VICTIMS (users) ARE... & currently (and for decades now), that is on Windows).

You think share of market doesn't matter?

Today's ( & this past decade's), online criminal is NO DIFFERENT than the street pickpocket... and they are BOTH AFTER YOUR MONIES!

Thus - It makes sense for them to attempt to attack Windows on that very same basis (as it IS "where the crowds are").

NOW, ONTO ACTUAL STATISTICS/FACTS & FIGURES of UNPATCHED KNOWN SECURITY VULNERABILITIES: (MacOS X vs. Windows 7)

---

Vulnerability Report - Microsoft Windows 7:

http://secunia.com/advisories/product/27467/

Unpatched = 6 of 57 Secunia advisories

---

vs.

---

Vulnerability Report - Apple Macintosh OS X:

http://secunia.com/advisories/product/96/?task=advisories

Unpatched 9 of 150 Secunia advisories

---

NOT ONLY HAS THE CURRENT MacOS X BUILD SHOWN MORE OVERALL SECURITY ADVISORIES THAN DOES WINDOWS 7, BUT, IT ALSO HAS MORE KNOWN OUTSTANDING UNPATCHED KNOWN SECURITY VULNERABILITIES THAN DOES Windows 7... period!

(So, "argue with the numbers"... & good luck!)

Lastly - I hope one of you tries the "local/local network" vs. "remote" tactic "spin-CON-troll" too, because I'll use what I used on the Linux crew a few days back in regards to THAT little "trick" too, due to how malwares today are being constructed... & they are NOT "your dad's oldsmobile" anymore...

APK

P.S.=> Here's a list of problems MacOS X has had in its tenure, for those of you that are interested, that I've been compiling for a few years now - So, "chew on these" (35 of them, or thereabouts...):

---

MacOS X - A Worm for Your Apple MacOSX:

http://www.beskerming.com/commentary/2007/07/18/222/A_Worm_for_Your_Apple

---

MacOS X - Another Mac Trojan/Fake Codec - Security Watch:

http://blogs.pcmag.com/securitywatch/2007/11/another_mac_trojanfake_codec.php

---

Apple's FaceTime for Mac debuts with security holes:

http://www.theregister.co.uk/2010/10/21/apple_facetime_security_hole/

---

Apple Patches OS X Flaws:

http://www.eweek.com/c/a/Apple/Apple-Patches-OS-X-Flaws/

---

Apple patches QuickTime to root out 15 ugly vulns:

http://www.theregister.co.uk/2010/12/09/apple_patches_quicktime_again/

---

Appleâ(TM)s Snow Leopard Is Less Secure Than Windows, But Safer:

"Do you know what's easier to do than following any of those directions? Buying a fucking Mac." - by RyuuzakiTetsuya (195424) on Monday June 15, @09:37PM (#28343231)

Think so? MacOS X, once it started gaining more popularity, began to be attacked as well - proving the points I made in my "p.s." in my prior post you responded to!

APK

P.S.=> Here are 20 "evidences thereof", as to my statements above about MacOS X, being "virus/trojan/spyware/malware-in-general" prone, like ANY OS IS - thus, here we go:

A Worm for Your Apple:

http://www.beskerming.com/commentary/2007/07/18/222/A_Worm_for_Your_Apple

Another Mac Trojan/Fake Codec:

http://blogs.pcmag.com/securitywatch/2007/11/another_mac_trojanfake_codec.php

Leopard Has More Holes than Spots:

http://www.eweek.com/c/a/Security/Leopard-Has-More-Holes-than-Spots/

Mac OS X Exploit Rapidly Follows Patch:

http://www.eweek.com/c/a/Security/Mac-OS-X-Exploit-Rapidly-Follows-Patch/

More Mac Vulnerabilities Than Windows In 2007?

http://it.slashdot.org/article.pl?sid=07/12/18/170241&from=rss

OS X Still Open to Samba Vulnerabilities:

http://www.pcmag.com/article2/0,1895,2141380,00.asp

A Little .Mac Security Flaw:

http://it.slashdot.org/it/07/12/16/0055211.shtml

Ancient Flaws May Leave Mac OS X Vulnerable:

http://apple.slashdot.org/apple/06/01/26/2224236.shtml

Apple Clients Still Vulnerable After DNS Patch:

http://it.slashdot.org/it/08/08/01/1932258.shtml

Apple Still Has Not Patched the DNS Hole:

http://it.slashdot.org/article.pl?sid=08/07/28/2311240

Mac OS X Root Escalation Through AppleScript:

http://it.slashdot.org/article.pl?sid=08/06/18/1919224

Mac OS X Users Vulnerable To Major Java Flaw:

http://it.slashdot.org/article.pl?sid=09/05/19/2344239

Macs May No Longer Be Immune to Viruses:

http://apple.slashdot.org/apple/06/05/01/0359225.shtml

OS X Leopard Firewall Flawed:

http://it.slashdot.org/article.pl?sid=07/10/30/188214

Two Trojans for MacOS X:

http://it.slashdot.org/it/08/06/25/0032226.shtml

Worm Threat Forces Apple To Disable Software?

http://it.slashdot.org/it/07/08/03/1451217.shtml

Zombie Macs Launch DoS Attack:

http://it.slashdot.org/article.pl?sid=09/04/16/2327246

Third flaw hits Mac OS X:

http://www.techworld.com/security/news/index.cfm?NewsID=5429

(Want more? I can provide them, & a larger list for Linux over time also... as I said I could in my post to the "Pro-Penguin" pe

http://www.beskerming.com/commentary/2007/08/12/249/German_Security_Professionals_in_the_Mist

I'd have to STRONGLY wager that if (insert OS type here) was as dominant a force as Microsoft Windows is today (& has been for more than 19++ yrs. now in the world of personal computers @ least), MacOS X or Linux (or whatever) would be getting as much heat from the malware makers as does Windows today.

E.G.-> IF you were a malware maker today, wouldn't YOU target the biggest mass of users you could? Sure you would, & ESPECIALLY today (they've shifted from messing up your machine, to taking YOUR MONEY instead, or using your machine as a slave), & ESPECIALLY targetting the MOST USED OS THERE IS - Windows.

Thus, imo @ least?? IF Linux or MacOS X were "top dog", market-share-wise??? They'd be under the SAME type of fire by the misguided folks that make malwares.

APK

P.S.=> Trust me, because for instance/E.G.-> MALWARE THREAT TO GNOME and KDE: http://it.slashdot.org/article.pl?sid=09/02/17/1526244 - & also A Worm for your Apple: http://www.beskerming.com/commentary/2007/07/18/222/A_Worm_for_Your_Apple OR Worm Threat Forces Apple To Disable Software? -> http://it.slashdot.org/it/07/08/03/1451217.shtml &, the list goes on... want more? I will gladly supply them.

Thus, as you can see?

The other alternate OS types for X86 based computers also have vulnerable (or, potentially vulnerable) components, just as Microsoft products do... they just aren't as attacked because they are NOT used as much, & thus, present a more 'available' target mass... apk

"The figure of 2 million new site compromises per year seems to be quite significant, but could be explained by virtual hosting servers with many sites on the one physical server being compromised, leading to the same vector affecting multiple sites (in some cases thousands of sites)."

Yeah, the article is lacking in details, which is unfortunate. Here is a nice little summary of not only the article, but also the speculation and arguments that have formed around the claims on a number of mailing lists.

Or, alternatively - $162 Million to Stop Aussies Looking at Porn.

Considered part of the campaigning for this year's Federal election in Australia, the Australian Prime Minister, John Howard, announced a $162 million USD plan to protect Australian Internet users against various Internet nasties, including porn, during a web video address to a number of Australian churches. The address was also joined by the leader of the Opposition, which suggests that the proposed plan will be left in place if they succeed in taking power later this year.

With plans to provide free internet filtering software for families, more funds for online predator detection, opportunities to lean on ISPs to stop allowing access to objectionable content, and a working group to work out ways around the privacy protection enjoyed by predators (but apparently not by the people they are supposed to protect), it is likely to become a $162 million dollar black hole, for a number of reasons.

It is important to consider who the presentation was pitched to, and who supported it. Unfortunately most of the dissenting voices from within parliament seem to be based on lines of religion (i.e. die-hard atheists complaining that Christian representatives spoke to Christian gatherings), and not on the technological shortfalls of the plan.

Perhaps this (http://www.beskerming.com/commentary/2007/07/27/2 33/iPhone_Access_Update) is a better link. No advertising, and it honours the requests of the webmasters (while still directing interested people to the right sources).

While some of the iPhone material that I have covered has been up on slashdot over the last couple of weeks, this is relatively new. My own article on this particular report was written a couple of days ago, reflecting material that was about 36 hours old at the time of writing.

Well, there is always:
http://www.beskerming.com/security/2007/07/11/35/F irefox_-_Remote_hacker_automatic_control

The solution is in there, along with the report. Even when disclosing content that is extremely time sensitive, that information will always be available from our site.

No, you haven't been the only one to notice that CERT has some timeliness issues when it comes to reporting on threats. Other CERTs, such as AusCERT, have the same sort of problem - particularly when you consider their public notification data (separate from their paid-for disclosure lists). Accepting that it takes time to analyse and report information, and accepting that they are disclosing to their fee-paying / sponsoring clients first, the recorded dates of information discovery are often significantly incorrect. This particular report comes as quite a surprise to us. We had always considered that variable-width encoding was relatively well understood by InfoSec companies, especially those that provide services in multiple languages. It always seemed more self-evident than HTTP-Request/Response splitting, for example.

The timeliness same problem also affects moderated sources such as BT and the various SecFocus sources, where there can be a several day delay between initial disclosure and appearance on those sources (if not longer - one particular list has recently developed a delay of > 1 week for new posts). Plus, you always get the problem of identifying what sources are accurate and relevant (hint: the CitiBank Screencap argument is about 2 years too late).

So, where do you look for additional resources? You could always look at companies like Secunia, FrSIRT, eEye, Symantec, or McAfee, but it is possible to time threat disclosure so that there is an approx 72 hour delay before they pick up on the threat, and there is always the question of coverage - McAfee will always have a focus on virus, worm and some malware threats.

Or, you could always use our services (http://www.beskerming.com).

We have a number of established free and fee-based services that deliver timely, relevant and accurate information about current and emerging threats. They effectively cut out the irrelevant noise that is most of the massive amount of data (across a number of different information channels) that is Information Security disclosure.

We have no vendor affiliation, do not rely on sponsorship or advertising in order to deliver our services, and strive to be platform neutral when analysing and reporting on issues. We know that our services are already being used by companies to augment their Incident Response Team information sources (as well as to validate the data coming from their more expensive, less-timely data sources), and for some clients our services form the core of their security response strategies.

Why not get in touch? We're more than happy to have someone chat to you about your InfoSec needs.

I think it is more the case that Symantec and the other well-established Information Security vendors are like dinosaurs stuck in hot tar. The environment around them is rapidly changing, and the smarter of them are now starting to recognise that their existing income streams are becoming less relevant - as Microsoft makes security improvements to their OS, and the attackers continually test against the security products to improve their ability to avoid detection. Now that they are identifying it, it is still going to take some time for them to adjust to the new environment and results are going to be mixed (when was the last major discovery by Microsoft's much-acclaimed honey-monkeys?).

The third group of malware that you predict is out there and steadily gaining strength. Malware such as Haxdoor is used to extract as much juicy information as possible, before becoming a second stage malware (the money siphon). With the presence of significant botnets, easily written spiders / robots, it becomes a matter of how you define 'malware'. For example, some security vendors are classifying the distributed SETI client as malware, because clients are too lazy to block it via policy or other enforcement methods.

Of course, there are InfoSec companies out there that have been focussed on the changing environment from the very start.

If you can excuse the small amount of self promotion, I think that this is essentially an ethical decision.

With my company (http://www.beskerming.com), we run no ads on our site, and our free mailing list is just that, free. There are no subscription fees, no advertising, no vendor pitches (besides our own occasional announcement), no spam, and no vendor sponsorship. It keeps our readers happy, and we have seen our influence stretch to over 400 million people via those responsible for their information and financial security, without really pimping the service to all and sundry. So long as we've keep our overheads low, it doesn't matter how many people receive our message from that service. Sure, we'd like to make more money, grow the company and all that other stuff, but it all goes back into the company - improving the services we provide our clients.

Faith in humanity keeps the list free, and it breeds some responses in kind. After the list started getting spammed with pump'n'dump scams (at least the moderator was spammed - no messages made it on the list), we sent out a simple request for recipients to review their system security and to ask anybody they had forwarded a copy of our messages to to do the same. Within 18 hours, the spam stopped. No subscriber has ever unsubscribed, and even after polling them for what they wanted to have done with the list, most responded that they enjoyed having access to a truly free list and wanted it kept that way.

We originally started the list to build credibility and reputation in the eyes of the market, and to show some of our capabilities, and even though we only recently started spreading word about it, we have attracted some quality readership who are firm supporters (at least of our free work).

Yeah, it would be easy to spam the list silly with ads, sell the subscriber list, and otherwise bleed the readership dry, but that is not ethically or morally justifiable and so long as I control the ethical path of the company, it will never happen.

One argument that is often used to support the nepotism that used to take place in large family-owned companies is that the family had a vested interest in keeping the company solvent, and knew what it took from generation to generation to support and maintain the wealth and health of the company. Never mind that by the third generation things usually went pear shaped, as that generation was far enough removed from the founders who created the wealth so as to not understand what sacrifice and effort was required for the health of the company. Basically, the ethical decisions that created and grew the company in the first place were discarded for short term enjoyment of the wealth.

If you can excuse the small amount of self promotion, but I think that ethics plays a large part as well.

With my company (http://www.beskerming.com), we run no ads on our site, and our free mailing list is just that, free. There are no subscription fees, no advertising, no vendor pitches (besides our own occasional announcement), no spam, and no vendor sponsorship. It keeps our readers happy, and we have seen our influence stretch to over 400 million people via those responsible for their information and financial security, without really pimping the service to all and sundry. So long as we've keep our overheads low, it doesn't matter how many people receive our message from that service.

Faith in humanity keeps the list free, and it breeds some responses in kind. After the list started getting spammed with pump'n'dump scams (at least the moderator was spammed - no messages made it on the list), we sent out a simple request for recipients to review their system security and to ask anybody they had forwarded a copy of our messages to to do the same. Within 18 hours, the spam stopped. No subscriber has ever unsubscribed, and even after polling them for what they wanted to have done with the list, most responded that they enjoyed having access to a truly free list and wanted it kept that way.

Yeah, it would be easy to spam the list silly with ads, sell the subscriber list, and otherwise bleed the readership dry, but that is not ethically or morally justifiable and so long as I control the ethical path of the company, it will never happen.

We originally started the list to build credibility and reputation in the eyes of the market, and to show some of our capabilities, and even though we only recently started spreading word about it, we have attracted some quality readership who are firm supporters (at least of our free work).

My company, Sûnnet Beskerming, has benefited from the OSS model in unexpected ways. In addition to providing a technological base which is infinitely customisable, many products and tools available under OSS-friendly licences allow us to quickly setup sandboxes and other testing environments where we can focus on researching and pursuing high risk (high return) ideas which would be cost prohibitive under commercial licencing.

The OSS approach to openness has also aided us in determining legitimate sources of Information Security threat data that is then distributed via our Free Security Mailing List. Having the source code at hand allows us to independently verify the reports that we uncover, and from there make an assessment of the relative technical merit of that particular source. This also means that we can more easily identify the gems amongst the sea of reports and risk announcements, allowing us to elevate the weight of what would otherwise be an unknown source.