Slashdot Mirror
US-CERT Says Microsoft's Advice On Downadup Worm Bogus
CWmike writes "Microsoft's advice on disabling Windows' 'Autorun' feature is flawed, the US Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack. US-CERT said in an alert that Microsoft's instructions on turning off Autorun are 'not fully effective' and 'could be considered a vulnerability.' The flaw in Microsoft's guidelines are important at the moment, because the 'Downadup' worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features."
Why is this considered news? Microsoft's security recommendations have never been taken seriously. We're supposed to still not take them seriously? Ok. But not news, as, obviously, this is nothing new. Obviously.
November 2: The Morris worm, created by Robert Tappan Morris, infects DEC VAX and Sun machines running BSD UNIX connected to the Internet, and becomes the first worm to spread extensively "in the wild", and one of the first well-known programs exploiting buffer overrun vulnerabilities.
Actually, I believe Windows Vista fixed this vulnerability. To bad MS did such a poor job with UAC that a lot of people might end up catching this virus anyways.
Except that this worm spreads through usb devices and is inherently not-Internet oriented. The only really safe way to use Windows is to constantly reimage your computer or to run in a virtual machine that can be reimaged every time it runs. Within 2 years, it will be feasible to run games in a VM on typical desktop hardware (once IOMMUs are common).
Palm trees and 8
And you neglect to point out that it did nothing and that UNIX systems were the first to learn how to protect against worms as a result. But did Mcrosoft choose to learn from the lessons of it's predecessors? No. It chose to ignore successful security methodologies in order to allow open communications between all software systems, api's and the user. The system was designed to be open by default... not secure. Security was ALWAYS an afterthought.
This is my sig. There are many like it but this one is mine.
Yo! O.P. shut up you stupid mouth. I like infectig lameos. Stands now every lameo use MS Windows. Big ass of target. Cant miss such big ass. Hit something every time!
Is it really true that you have to edit the registry to turn off autorun? There isn't any clicky? Amazing.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
There's a new sound, the newest sound around
The strangest sound that you have ever heard
Not like a wild boar or a jungle lion's roar
It isn't like the cry of any bird
But there's a new sound, it's deep down in the ground
And everyone who listens to it squirms
Because this new, new sound so deep under the ground
Is the sound that's made by worms
Would like to see a worm disable some of Microsoft's DRM and see how fast they come out with a working patch.
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
It makes me feel a bit dizzy every time I think that this "feature" is enabled by default. It's a feature in the same way that an online banking system might feature login without a password, "just type your name to instantly access your account!" It saves the user a tiny hassle against an opportunity for absolute catastrophe.
Autorun is high on my list of stuff to disable very shortly after installing a fresh copy of Windows.
And it's not like it's a secret that this is a vulnerability. There's a reason Apple abandoned this capability when it moved from OS 9 to OS X.
Microsoft deserves derision for continuing to offer and promote this feature.
If Microsoft can't be bothered by it, nor convinced it's a very, very, bad idea, then autorun should at be limited exclusively to CDs and DVDs. That would merely be a terrible idea, as opposed to a downright catastrophic one.
Does Windows Vista or Window 7 handle this differently than XP??
break?
Comment removed based on user account deletion
Even though autorun is like one of the dumbest ideas ever, MS thinks of it as a COOL FEATURE and disabling it is going to break the COOL AUTOMATION that they have sold your grandma, who will no longer be able to just plug her camera into the computer and have it do its thing automatically. Their users might have to THINK which we all know is a bad thing, especially if you are thinking about how well your Microsoft product works.
Brackets contain world's first nanosig, highly magnified:[.]
Disable Autorun anyway, because it's fucking annoying.
Vista is the most secure windows OS, probably. "most secure" != "secure".
This worm is evidence that they still have a long way to go.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
Microsoft supplied the software that allows people's computers to become infected, then gave them false information leading them to believe they're safe, when they're not really.
Suspicious...
Yeah, it's almost like they value convenience over security (having autorun), and don't know how to write perfect bug-free software like the space shuttle people do (look at the "Update:" at the end of the advisory, the fix instructions should have worked, but they don't without a patch).
Yes, but because there's no gravity in space, we have to use very powerful electric currents to magnetise our pies.
We call them magpies and eat them at our space-football games with hot chips and source.
Go Collingwood! Yeah.
"by taking advantage of Windows' Autorun and Autoplay features"
well no, not really.
Granted, they take advantage of the fact that...
1. there is an autorun feature. Is that so horrible? Probably not.
2. that the autorun feature pops up a display letting the user choose what to do (i.e. run the program, browse the drive, view pictures if it finds them, etc.). Again, not so bad.
3. that the autorun feature lets you customize the icon. Okay, things get a little hairy here - it's nice when the icon fits the program, but this malware uses the icon of... a folder. Just like the 'browse the disc/device' icon.
4. that the autorun feature does not have a -clear- distinction between what are autorun directives (run the program), and what are windows' built-in features (browse the drive).
The fourth is nearly inexcusable and if handled well, it would alleviate the third as well - just put a big red border around the darn thing (is one option, anyway).
In the end, though, it doesn't exploit 'autorun' directly - it exploits the fact that many users will think that the option with the folder icon with (misleading) description is the regular 'browse drive' option and click it carelessly.
Although Microsoft has not formally recommended that users disable Autorun as an anti-Downadup measure, most security companies and researchers have in light of the autorun.inf infection vector.
The "recommendation" referred to is almost two years old and has nothing to do with the worm. Article is a troll pretty much. One support article is for disabling Autorun on CD-ROMs, while the other is for Autoplay. Neither was created specifically to support Downadup as far as I can tell.
So no, not really suspicious at all. Bad on the "researchers" who have pointed to those articles for protection.
Why did neither MS or CERT suggest the use of TweakUI to turn off Autorun?
The real "Libtards" are the Libertarians!
Why does Microsoft make it so difficult to disable auto-run? I understand that many customers may like the feature, but why not a simple control panel entry to stop it? Is it somehow tied with DRM for playing videos? I'm not just griping - they must have some reason for this, anyone know what it is?
Or you could, oh I don't know, not let morons near your computer? I'm typing this on a Win2K pro machine that has been hooked to the net and running non stop for almost 9 years. In that time I have gotten zero, zip, nada, squat on the virus front. Why? Because I don't let morons on this machine, that's why.
As a PC repairman I have noticed the PEBKAC problems with Windows can nearly always be traced to one of three types. One, the "anything my friend (insert name of girlfriend) sends me has to be okay." Those can usually be dealt with by installing a decent AV and having them use webmail instead of OE. Two, the "I will click on anything that'll get me teh hot lesbos!" guy. You can usually cut down on his rate of pwnage by giving a copy of Firefox loaded with bookmarks for places like Youporn and Redtube. And three, the "I click on everything I loads off the Kazaa!" types. These are usually dumbass teenagers looking for the latest horrible pop drivel and instead clicking on "lousy_tune.mp3.exe" thinking it is their pop drivel. Putting them in a limited user account and putting a good AV to scan whatever folder they are downloading crap to usually does the trick.
The point is blaming Windows for morons is like blaming the SUV manufacturers when some woman plows through a family of five because she ran a redlight while playing with her cell phone. Stupid people will find a way to break stuff, hence why we call them stupid. If you put these types on OSX or Linux they would break just as much as they do on Windows. They would just be loading "Hot_Pron_codec.dmg" or "killer_tune.sh" instead of an .exe. It all comes back to the dancing bunny problem. The best we tech guys can do is educate where we can, and take steps like the ones listed above to minimize the damage they can do. Because I don't care which OS you give them PEBKAC problems will NEVER go away. After all this problem wouldn't exist in the first place if folks had actually bothered applying the patch the MSFT released in OCTOBER. Just further proof that they ain't exactly brain trusts we are talking about here.
ACs don't waste your time replying, your posts are never seen by me.
Seriously, what are you talking about? I see a lot of "Vista's evil DRM," tossed around, and very little in the way of specifics to back up what it does, which of course leads me to think the people doing the talking don't know what they are talking about.
So what DRM do you want to see disabled? Are you talking about HDCP, the DVI encryption? That's not MS's standard, by the way, DVD and Blu-ray players are where that's from. However, it is one of those things that you don't have to use if you don't want to. I have a Vista system connected to a monitor which has HDCP turned off (professional monitor, you can change the state manually). Means if the system required HDCP, I'd get no image. But it works fine. Reason is, HDCP is only required by Blu-ray playback software. Now you could disable it on the system, I suppose, but that'd gain you nothing. The software would just refuse to play. It wasn't as though MS said "Let's include this to fuck people." Rather it is required if you want to license Blu-ray playback.
So again, what DRM are you talking about? I'm tired of all this bitching from people who don't know what they are saying. If there is something in particular you object to, let's here what and why. Otherwise, please stop going on about thing you don't understand.
Did nothing?? What planet were you on?
The machine took out more than a lot of mail servers, bringing them to a grinding halt for the duration.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
Many Microsoft screw ups could be managed by changing its default settings, but unfortunately Windows caters to Grandmothers who can't follow complicated instructions such as go to run, type d:\start.exe, much less mount /dev/hdc -t iso9660 -r /cdrom, or sudo apt-get install omgponies. What really pisses me off is that the simple tools for managing common system administration is not even included with the home version, which is the version that needs the admin tools because it is more likely to be infected due to the default settings. The group policy editor is how you should disable autorun, but it isn't included with XP Home. If it were included it would be more like XP Pro, which should be their lowest version. They should have an XP tech version that allows you to increase TCP connections, and import policies without Active Directory, and allow more that 10 SMB connections, and be able to update other XP boxen with its own installed Windows patches. Oh well, at least I don't always have to tell my Mom to find My Computer, then the D Drive, which she cannot do. I just tell her to insert the damn disc. So what's my solution to this whole fiasco? ESET Nod32. Pay for it and update it. It's not perfect, but what is?
Thank you kind madam. And these magpies, do they have polarizzed crust, or are they made with ionic crumbs? I ask because I am in a space with am being hungry much. I spoke to the bird person but he whistled and pood at me. At last there is kindness in this world. I love you.
It was a afterthought?
I swear in many places it wasnt a thought at all.
Windows makes it way too easy for morons to do their thing.
Put any of those three types on Linux and lets see how much damage they can do.
In all three, no matter what they do, the core system remains fully intact.
Comment removed based on user account deletion
Thanks for pulling up that Gem from 20 + years ago. You and my wife must be related!
My name is Inigo Montoya. You killed my Father! Prepare to die!
Perhaps it's more accurate to say that the Morris Worm did not carry a destructive payload. It's true that it brought down more than a few servers, but that was only because it spread so rampantly without -- as with many modern worms -- any kind of rate-limiting logic.
um, what are you talking about? if there is a worm going around that exploits the AutoRun, then naturally the thing to do would be to disable AutoRun. so why is it bad on the researchers for advising people to disable a feature that makes their system more vulnerable to an ongoing security threat. and how is US-CERT or ComputerWorld "trolling" by pointing out that Microsoft's instructions for "disabling AutoRun" doesn't actually disable AutoRun?
Microsoft is the one who created a feature that is now an active malware infection vector. they are the ones who set this feature to be enabled by default. and they are the ones who made it near impossible to turn off (without downloading additional software). and to make things worse, they release inaccurate advice on how to "disable" this feature, which could potentially lull users into a false sense of security.
Even more suspicious is that this bulletin suggests there is a security flaw in the world's most secure OS, Vista. Clearly, the boys at CERT are on crack.
"Or you could, oh I don't know, not let morons near your computer?"
.exe."
.mozilla/ folder a different context. Sure, you can create such a security policy in Windows, but it is not done by default.
Which is just not feasible sometimes. Every few weeks, someone I am working with -- yes, some of us must work with others on our computers -- brings me some files on a thumb drive. I have no choice but to plug that drive into my computer and deal with it, other than not getting my work done at all.
"Putting them in a limited user account and putting a good AV to scan whatever folder they are downloading crap to usually does the trick."
When I used to repair computers, I found that doing this invariably led to questions like, "Why can't I install [insert well known program name here]?" Windows systems really are not oriented toward this sort of security for single users who cannot just call up their helpdesk whenever they need some software installed.
"If you put these types on OSX or Linux they would break just as much as they do on Windows. They would just be loading "Hot_Pron_codec.dmg" or "killer_tune.sh" instead of an
Except that in OSX and Linux (and BSD and Solaris and all *nix systems) files have to be explicitly declared executable. A user receiving LatestPopSong.mp3.sh would just sit there confused and asking, "Why does it keep opening this song in a text editor? Why does my music player keep getting confused?" In distros that enable SELinux, you can have even more security -- for example, a policy that prevents programs which are not part of Firefox from writing to the Firefox configuration, which would prevent typical virus-installing-keylogger-in-web browser attacks that seem to be so common today; such a policy could be maintained by the distro packagers themselves; in fact, Fedora already gives the
Yes, if administered by experts, Windows can remain secure even when connected to the Internet, I will not deny that. Most single user Windows installations are not administered by experts, and unlike big name Linux distros, Microsoft does not have thousands of people tuning the Windows security policies, nor do they have tens of thousands (perhaps hundreds of thousands) of people fixing bugs.
Palm trees and 8
The system was designed to be open by default... not secure. Security was ALWAYS an afterthought.
I don't think I'd say it was an afterthought, that implies they believed it was important to address, once discovered late.
The closer reality seems to be that they acknowledged the issue and determined it made a better feature than vulnerability.
Like the windows autorun on media insert that's making Downadup so successful as of lately. Amazing they STILL haven't axed that. This isn't a case of them being late with a fix, this is a case of them refusing to fix it.
I work for the Department of Redundancy Department.
Nice. You just said Microsoft designs with openness in mind.
THL phish sticks
I like a different magpie, but mine uses a different "Port", same code but also with chips and source..
sorry it's weak, but I cannot believe a collingwood supporter reads slashdot !
I thought worms only lived in the dirt and my dogs ass
I've never heard Windows described quite that way.
If you want news from today, you have to come back tomorrow.
How true. IIRC, it was meant to gather information, not destroy it. I also recall that rate-limiting logic was present, but with such bad numerical assumptions as to be bogus.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
SELinux goes a long way toward containing viruses, as long as the distro maintains decent default policies. For example, only files from the Mozilla packages should be able to modify ~/.mozilla/ or any files in that directory, and Fedora's SELinux policy puts those files in their own context. A virus attempting to install some sort of keylogger in Firefox is forced to attack through Firefox (or another Mozilla program); compare with malware in Windows, that could attack through specially crafted music file and install a keylogger in IE.
Palm trees and 8
Any tips on how to get these people to accept the switch though? I'm trying my hardest with a guy I work with, he just cant seem to handle the transition. I got him a gmail account, set it up to retrieve his other accounts mail, explained the benefits (considerable, considering he pays way too much for metred internet access and is constantly receiving large attachments he usually doesnt need to open but Outhouse downloads them anyway... which really hits him in the wallet, not to mention that he works on multiple machines and is constantly needing an email downloaded on the other machine and gone from the server.) He understands all this, wants the better system, but still somehow just cant handle changing interfaces :( he knows how to do his work in Outhouse and becomes paralysed like a deer in the headlights looking at gmail. It's horribly sad, but I just dont know how to help him anymore, every idea I've tried comes to nothing.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
You seem angry. It makes your post read as non-smart.
Furry cows moo and decompress.
The "recommendation" referred to is almost two years old and has nothing to do with the worm. Article is a troll pretty much. One support article is for disabling Autorun on CD-ROMs, while the other is for Autoplay. Neither was created specifically to support Downadup as far as I can tell.
Ironically, I saw this one coming in 1998 when I first installed windows 95. I made sure to disable Autorun as soon as I figured out how to work the registry.
Disclaimer: The opinions and actions of the US Gov't are in no way representative of those held by this author or its ci
Just install the update that Microsoft released in October?
Make that 2 Collingwood supporters :)
... that UNIX systems were the first to learn how to protect against worms as a result.
Interesting.
Do you know when they became self-aware and launched biological viruses after (or was it before) learning to protect against man-made worms?
See how much of *anything* they could do.
That's not a good thing.
Your Etch A Sketch sounds very nice. I am glas you posted this. I wonder if a spell checker can be vierually installed for you and your 100% secure OS. Ever.
P.S. Shake it good and it will go away.
You are lucky, Ed Gruberman. Few novices experience so much of Ti Kwan Leep so soon.
And you neglect to point out that it did nothing and that UNIX systems were the first to learn how to protect against worms as a result.
It did nothing except propagate, which was bad enough, but its primary entrance vector was sendmail binaries compiled with unfortunate debugging code that was effectively a passwordless root login.
So what was the primary lesson to be learned? Binaries distributed without source code and not rebuilt on a server under a watchful eye are a bad idea - true.
It will become self-aware on April 19, 2011 and will begin its attack against humanity on April 21...but hey no worries okay? We're gonna be saved by one John Connor in 2029.
Btrfs will fix that.
If you put these types on OSX or Linux they would break just as much as they do on Windows.
You had me up to that line. I have managed 4 desktop computers at a youth drop-in center for a year and a half now. We have all three of your types using these machines on a nightly basis.
On my first day all four computers ran xp Home with the youth using just the guest account. All four computers were heavily infested with you-name-it. The hard drives never stopped churning and the router lights never stopped blinking, 30 minutes after logging out.
I spent that first evening exorcising the demons on what appeared to be the worst of the four stations. I gave it a clean bill of health, tightened up security here and there, and called it a night. I decided that night that I would clean out one machine per week.
I went back for round 2 a week later and the one I had cleaned the week previous was back to its original state.
I spoke to the management and obtained permission and funds to do some minor hardware upgrades on the office computer. All the hard drives got pulled from the youth computers and assembled into a RAID on the office computer, on which I did a fresh default install of Ubuntu and ltsp. I created an account for every youth that wanted one and told them to have fun. I even installed limewire and showed some of them how to grab torrents using deluge and transmission.
A year and a half later and not a single breakage. No pop-ups, no churning disks, no dead family of five. I'm effectively unemployed with this organization.
Go ahead and tell me that Windows can be made secure. Yeah, I know. I work in 3 schools and it's all Windows or nothing, and the IT people (not me) have done a great job of locking things down and generally keeping things ticking. But that's far from default configuration.
no, "these types", the same ones who had 4 xp desks in a perpetually broken state, even with AV and limited accounts, haven't broken a default linux install yet.
I am literally 3000 tokens away from the chaotic crossbow --Stephen
Try working in software support then.
I've heard it called much worse.
"I've got more toys than Teruhisa Kitahara."
I have not heard of such a company. Surely it must be a nom de plume for everyone in /. !
Sure, you can create such a security policy in Windows, but it is not done by default.
Really? A per-application policy? That's cool! How do you do it?
> I'm trying my hardest
> large attachments he usually doesnt need to open but Outhouse downloads them anyway
> every idea I've tried comes to nothing
You're quite the wizard, gosh he's lucky to have you helping him out.
Outlook, like every other frikken mail program, has a setting to download just the headers until you dblclick to view the message. Search on "Outlook download headers". Don't call it Outhouse, because, y'know, the search won't work that way. Am I getting too technical for you?
Rabid
for a bigger shocker, the first PC (not in sense of IBM) virus was a Mac Virus. "In the home" , Richard Skrenta 1982. It is a joke got out of hand.
I really hope nobody/no company codes a virus/worm for operating systems which are considered "super secure" by their clueless users. Results would be disastrous as there is almost no security software running on such systems.
If they don't support it, they can't play Blu-ray (and HD-DVD before that went under). Ok well what is the average consumer going to do: Blame the AACS-LA, or which ever nebulous industry licensing authority is responsible, or blame the OS maker?
Goes double since the media industry doesn't have to knuckle under. Remember most people watch movies on their TVs. While it isn't a trivial amount who watch on computers, it isn't the majority either. Thus they can get away with just selling to people with players while users scream at MS for "not supporting HD". Besides, you know Apple would (they do) and would use it as a marketing point.
So I see their choice as the correct one. It gives the consumers the most options. The OS works just fine with no HDCP unless it is demanded. If it is demanded, it is supported.
Besides, you can just as easily argue that nVidia, ATi and Intel should have killed it. If the graphics adapter doesn't support it, it's a moot issue. However they do.
They had to dress him in women's underwear to save his family from embarrassment.
You ignore an important assumption of the post you reply to, that the blackhats are aware that their target population, "those types", have migrated to Linux, and have started to target them there.
Currently there is no point to doing that, because of the very limited use of Linux by such users.
When "those types" are all using Linux, you'll need to install Plan9 or something equally exotic in order to attain the same level of security you have on your 4 Linux desktops now. Even that might not work, because in all probability (because of the way open-source works), your Plan9 installation will share applications like browsers and mail clients with the current mainstream Linux desktops.
OTOH, I still think the 4 Linux desktops will be more secure than WinXP is now, even after becoming mainstream, because more people will actually care about making them secure. You see, Microsoft currently doesn't care that much about how secure Windows is, because any security vulnerability in it is mostly an externality to them economically, they only lose a bit of reputation. So I'm fairly sure that the large group of volunteers trying to secure Linux is actually more motivated, and hopefully at a time when Linux is mainstream there would (hopefully) be even more effort being invested in securing it (of course, with the "too many cooks" effect and all, you cannot be sure this will help).
Of course, if we ever get to a future where Linux is as (or more) mainstream than Windows, what I said about Microsoft seeing security as an externality will no longer be true. So predicting the future here is about as easy as predicting the stock market.
Mod sibling up
...and the periodic screams of horror as people realise that they got taken in by "even faster and even more secure" AGAIN, provide a good one.
How many iterations of Windows is it now?
And every time the same crap. Every time they promise that "this time we've got it right" and every time they haven't.
This isn't Stockholm Syndrome this is closer to a Loony Tunes cartoon. Maybe Ballmer should appear at a press conference with a hand held sign with "This is silly!" written on it.
{[ranting mode on]}
And they have condemned us all with that Autorun feature that has only caused headache for many of us.
They have also provided us with a scripting language that is prone to bugs and security holes, which caused the widespread Melissa virus.
Later we did see the SQL Slammer virus, which also used scripting technology.
And the SMB protocol that they have created may be useful for the purpose of sharing information between machines, but it's not designed to be safe in a way that allows it to be easily filtered in firewalls to select which services that may be passed through.
In Vista they provided us with the annoying UAC, which really wasn't that effective at all, and at the same time they also inserted features that silently replaced files that you did edit in a non-microsoft editor like Vim if that file happened to be located in certain places (try to configure Apache HTTPD under Vista Ultimate with Vim).
All in the name of making it simple for stupid users. It renders a certain validity of the statement "If you make something fool-proof only a fool will use it". And considering the general market coverage that Microsoft has today people in general are fools!
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Geez...I already saw this post over at http://www.engrish.com/
Just because you've never noticed them doesn't mean you've never gotten a virus. Modern viruses are more intended to be quiet and do their spamming/backdoor thing these days, since users who find them may attempt to remove them.
And no, antivirus is not much protection.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
Yes, and I love Vista's audio system ... It does high quality (32-bit floating point) software mixing of all audio streams. ... Likewise, you can control the volume on individual apps ... It's resampling engine is also great. It opens up the sound card in the mode you tell it to, and resamples all audio to that.
Darn it! You're making me like Vista! I'm feeling myself turning into another Windows zombie now.
(in a Borg voice) Come use Vista ... there is nothing to fear ... you will be assimilated (into the 90% "Windows" users).
I'm typing this on a Win2K pro machine that has been hooked to the net and running non stop for almost 9 years. In that time I have gotten zero, zip, nada, squat on the virus front.
And I've gotten 103,477,311 spam emails from your box, but who's counting? Thank you!
Yes, it's true - the first worm was written in *nix, during an age where software updates were very lazily applied and "security" meant issuing passwords.
Since then, the fundamental simpleness of the *nix design has resulted in dramatic improvements in real security without any basic re-architec ing. Compare/contrast with a prominent North American software vendor based in Redmond, WA who has some 10,000 developers working on their flagship software package used by a high percentage of the world's computer users, who have developed an API so complex and so labyrinthine that providing any real security is about as likely as making ice water dance the Mac arena by playing Lawrence Welk re-runs.
In security, simpler is pretty much always better, and the fundamentally simple POSIX environment is fundamentally as simple as it can be, as a matter of ideology. The fewer things being managed/tracked/considered, the fewer things can go wrong, and the less likely a security issue will be found. See worse is better for a better understanding of what I mean by "ideologically simple".
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Microsoft is the one who created a feature that is now an active malware infection vector.
Microsoft is the one who recreated a feature that is an active malware infection vector.
There, fixed that for you. Executing anything coming from the outside by default has ALWAYS been a horrible idea.
How many decades has it been since we all disabled uux and such from our UUCP configurations?
Now, GET OFF MY LAWN!
The other poster is right, don't call it Outhouse. The correct term is "Outlook Excrement" or "Lookout! You just got pwned!" if you are my former boss.
Seriously though, if you are trying to switch a user from mail to webmail you are going about it wrong. Gmail is great for mailheads ,NOT for those used to things like OE. The best one to switch him to is Yahoo Mail, as the new interface rips off OE enough that it feels familiar and makes them all comfy. It has the folders and layout that they are used to. Gmail is "too chatty"(quote from client) to get them to switch comfortably over. Remember....baby steps.
ACs don't waste your time replying, your posts are never seen by me.
no,
Never attribute to malice that which can be adequately explained by incompetence.
Especially when it comes to Microsoft.
MS made a recommendation that did not fix the problem, this shows incompetence, nothing else.
Sorry, but I'm afraid you are wrong. I know because I tried it once. I actually gave Linux (Kubuntu) to one of the "hot lesbos" types, and guess what? He managed to make it unbootable in less than 5 days. How? By typing in "Linux Programs" into Google and downloading a bunch of crap from Freshmeat and ending up in dependency hell. I finally had to lock him down in XP worse than any BOFH and he still has to bring it back 2 to 3 times a year to clean out the crap. And sticking them on Linux won't work for 1 and 3 because they can't run what their friends are running and you will be SO fired the first time they get a printer from Walmart and you can't make it work. To quote Forrest Gump-"Stupid is as stupid does."
ACs don't waste your time replying, your posts are never seen by me.
chkrootkit, tripwire, clamav, shorewall, john-the-ripper, and snort run on a lot of systems considered super secure by their users.
Some people consider their systems super secure because they know they are not they guess they are.
The question on freebsd-security a few years ago was what was the best way to avoid denial of service attacks if you are logging to lpr. (one of the obvious suggestions is do not log repeated messages, just the number of times the message has repeated. this will increase the work required to kill your server by running through all the paper and hanging until more boxes of paper are fed to the printers.)
That was the same list that made me realize that you should not have passwords on multiuser systems, or servers in general.
Do you really think that people use passwords like this
makepasswd --char=32 --count=10
CLWwBsm1c15IFadg4KTjrHhCBjFP8RNI -- for slashdot
RLQaXqSEfRHgLnwjjbgoJU5y4Uya2hM6 -- for gmail
NebgFMATH990vB8US8CE4zMgeR7uum02 -- for Administrator
SFa0qT5nIQuLYtTsq44I8336ghEBApiD -- for user account
smcruMr8rzE6PFHzus8AmPcIoKNFy0Rh -- for facebook
L6wynpgAHoINdQm2CWwXdfSiJrBzQ8YG -- for myspace
Q3D1JBVXtgPNNo4bm16WAcKPMhox8s6C -- for banking
L1hEhuisoFcnoyGEYxPYqW8Hq4Qs2EmY -- for retirement account
2RqaobNEKyQIIoUVoFPty6EruLQhVE0F -- for work login
s0zJFsLiWCSN0e5fCEvpi48GV4D0PjyH -- for paypal
Phishing sites are one of the best ways to effectively get the information and tools needed to illicitly act on behalf of someone else.
At some point public key logins via ssl will become the norm, until then, passwords will be the week point in most systems.
Realize that even though debian had the ultra limp ssl keys generated it was still seems to be more productive to use password guessing than trying to try brute forcing an almost known key. Passwords suck that bad.
I would not be surprised if a sizable number of systems (more than 10%) in Arizona could be broken into this week with a dictionary attack of:
cardinals
cardina1s
Cardina1s
For those that want an analogy, imagine zoning laws that required NORAD style doors on all buildings and twenty percent of the population deciding that it is stupid and refusing to lock their doors. You would have a situation similar to the computer landscape today.
Work bio at MMWD
You DO know you are basically trying to goose me into proving a negative, correct? I mean, how do you know your Linux machines isn't pwned by an invisible virus that goes between the clock ticks? You don't. But once a year I do a "superscan" day, where I run no less than 5 scans (3 online, one network, and one based on the machine) and I don't use the standard task manager (I use process explorer which even shows what those SVCHost.DLLs are) and I have both a software and a hardware firewall, so I know of everything that goes into or out of my network.
And so far zip, nada, squat, zilch, zippo, nothing. So I think I can safely say to 99.999% certainty that this machine is clean. But it really isn't that hard. Hell I'm even running as admin. It just takes a tiny bit of common sense, which sadly seems to be in short supply these days. I don't download attachments, I don't go to topsites looking for "teh hot lesbos", and I don't let dumbasses on my machine. Pretty damned simple if you ask me. But that is why I think it is nuts to blame MSFT for stupid users.
Because MSFT can lock it down worse than any BOFH that has ever existed, and the malware writers will simply get the stupid people to happily bypass all their hard work to get the carrot dangling in front of their face. That is why we tech guys have PEBKAC and ID10T errors. There just isn't a way to fix stupid with tech. There just isn't. That is why education will NEVER work because they will happily ignore what you have taught them to get the carrot. All we can do is make as many hoops and roadblocks as we can and try to cut down on the damage they can cause.
And for all you Linux guys? Pray I tell you, PRAY to whatever God you may or may not believe in that the giant flock of stupid Windows users never EVER switch to Linux. Because they will turn your little secure haven into a malware infested swamp in a year, maybe less. Because all the tech in the world will never cause them to grow a brain. Just be happy you have a place to get away from their stupidity.
ACs don't waste your time replying, your posts are never seen by me.
Did I say anything about Linux being immune to viruses or crackers? Did I even imply it? You jump to conclusions far too easily, though given I'm a poster on slashdot, linux fanboi is a reasonable assumption without much further information;)
What I said applies equally well to all operating systems. It doesn't really matter that Linux is more secure and less common, nor that both can be locked down to a reasonable degree by a knowledgeable sysadmin.
For the record, I've had to deal with compromised linices, macs*, and windows boxen. I know full well that not everyone is a 1337 h4x0r who can secure their system to unix snobs' satisfaction. I only hope my doctor doesn't mock me in a similar way for not knowing how to cure myself.
I merely wanted to point out that the goals of compromise have shifted over the years, and one can easily mistake this for Windows (the target of most crackers) becoming more secure. I think the neverending flood of spam attests to the fact that there are plenty of compromised computers around the tubes.
You are, of course, right that one cannot prove a negative, and any acerbity in my earlier post should be attributed to the "ZOMG windows is so secure I odn't need to enable the security or instlal 3rd part ysoftware I'm never comporm1s3d lulz" sort I've been seeing lately, which you clearly are not.
* only incidentally involved
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
I like a different magpie, but mine uses a different "Port", same code but also with chips and source..
sorry it's weak, but I cannot believe a collingwood supporter reads slashdot !
I can't believe a Collingwood supporter can READ!
I am not stubborn. I am right!
This person has never heard of worms I see, you know, the kind of nasty programs that don't require user interaction to get their misdeeds done. I bet his wk2 is crawling.
Except that in OSX and Linux (and BSD and Solaris and all *nix systems) files have to be explicitly declared executable.
There was an outbreak of malware a while back that required users to open a password-protected zip file, and execute the contents within.
You really think having to set a file +x, or running it from a commandline with 'bash file.sh' is really going to slow them down ?
The summary does provide the very same link to US-CERT.
Colorless green Cthulhu waits dreaming furiously.
We use a WSUS server to roll out updates to all our clients here and I can't find this patch for love nor money. Is there anybody running WSUS who's successfully rolled out this patch?
The CERT article says this has been updated in a security release from July 2008, the download KB950582 was released in August 2008. I find it very worrying that I can't find any trace of this on our update server. It makes me wonder what other security patches Microsoft haven't made available.
Good luck with +x vs noexec
Quick way to get 30% Funny 70% Troll: defend Opera browser on
Holy smokes, I even bolded it for you! Let's try this again, with even more formating!!
One article is for disabling Autorun on CD-ROMs specifically. One article is for disabling Autoplay. Neither article describes how to stop the autorun.inf file from being processed on all removable media, nor does either article claim do to that.
This is like hitting the button that turns off your rear windshield wiper and getting furious that your forward wipers didn't turn off. Similar and related feature, but that button wasn't made to turn off your forward wipers. You gotta spin the knobby thing to turn those off. (Sorry, best car analogy I could come up with at 4am)
the legitimate sites that have been compromised that install junk on a users workstation or steal data. You cant blame the users for going to dodgy websites when there are compromised legitimate sites.
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
Good luck with +x vs noexec
sudo cp ~/Desktop/showmetheboobies /bin; /bin/showmetheboobies
Alternatively (avoiding the need to +x as well):
perl ~/Desktop/showmetheboobies.pl
Of course, the assumption that you would be likely to see /home or /tmp mounted noexec on an unmanaged desktop PC is, itself, completely unrealistic.
...or...to quote Ron White..."You can't fix stupid."
Little tip for anyone who has "morons" in the family.
On each new USB device, create a folder (important, MUST be a folder, NOT a file), called autorun.inf. Then set the attributes on that file to +S +H +R +A (system, hidden, read only, archive).
Voila, whatever PC they promiscuously stick their USB in, this attack vector is null and void, as the virsu cannot overwrite a folder with a file of the same name.
YMMV, but since learning this tip, my missus and kids have brought home zero nastys from work, school, college etc.
sometimes the most humane thing is just to take them out the back and shoot them. i know, it's heartbreaking; but they'll be better off, and you'll be better off
I want to pass contacts just one web link to help them decide: -have I got it already? -if I have, what do I do next? -if I have not, how do I avoid getting it? They all have AV, and most are on auto-update, but they need reassurance (and I couldn't ask them to edit the registry or tussle with TweakUI). I do not see anywhere a single point of contact for unsophisticated users with the above reasonable questions. And has anyone said that running the Microsoft update will remove *existing* infections?
Unrealistic because? If distributions enforce this it is possible.
With noexec they can't just click. Users need to actively do something and know exactly what to do. Not that would stop anyone though...
Quick way to get 30% Funny 70% Troll: defend Opera browser on
that still leaves out 95% of the population;-)
I am not sure about Vista, but in Windows XP, you would create a "Software Restriction Policy:"
http://technet.microsoft.com/en-us/library/bb457006.aspx
As I said in my comment, this is not something a typical home user is going to be doing on their own.
Palm trees and 8
Holy Cow, are you saying that if there's a CDFS partition on the drive, the program specified by autorun.inf will run *regardless* of any settings?
Wow. I guess that "feature" will be coming to the next evolution of Conficker in, say, some time in the next 5 minutes?
As technology accumulates, the hatred between people tends to decrease. - Steven Pinker
and will install things when you double click on an rpm/deb file you downloaded
only if the user is a member of the admin group, which I disable for all users. There's even a GUI option for this in Ubuntu (in Manage Users/Groups): it's called "user is allowed to install software".
How dumb of me thinking it was "you must check for buffer overflows"... All that time.
Rethinking email
Unrealistic because? If distributions enforce this it is possible.
Unrealistic because it only "allows" people to run the things someone else has said they can.
For context, consider the apoplectic outrage that would ensure if Microsoft said only binaries they had approved and signed would be allowed to run [without making some registry or GPO changes] on the next version of Windows.
With noexec they can't just click.
With Windows they can't "just click". They need to go through several dialogs telling them it's a bad idea (or - from my specific example - unzip a password protected zip file, which is at least as onerous).
Users need to actively do something and know exactly what to do. Not that would stop anyone though...
Exactly my point. If people are willing to run stuff on Windows that comes inside password-protected zip files, they're willing to type a command into a prompt (which would be conveniently provided by the spam email so they could just copy & paste).
Unfortunately KB950582 was not classified as a required security patch for Windows XP, and consequently not included for distribution in Windows Update or WSUS.
You can secure windows by configuring it too you fuckwad. He was talking about default install capabilities.
Thanks. How do you find out if updates like this are available through WSUS, or whether Microsoft has decided they're not important? I couldn't see anything in the update description to distinguish it from all the other security (and other) updates that are available.
And I guess my next question is how important is this? We disable autorun via group policy already, what exactly is missing without this patch?
These are the people that put food on our table, unless they are family,
I don't charge family....but I don't help them out with this either.
The US-CERT article might have linked to an old MS article that doesn't work, but the new one doesn't work either. It requires users of Vista, for instance, to use Gpedit.msc. Type it into your search bar and run it, it says.
Vista Home Premium (and less) does not contain Gpedit.msc. I mean, for f**k's sake.
Autoplay and Autorun (along with hiding file extensions by default) are reasons that Microsoft still does not take the safety of the users of its software seriously.
Maybe this crap will rid us of Auto(play/run) forever? (I can hope.)
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
I have to admit - the next time I install a linux distro, I will be turning SELinux off by default. I installed Linux recently on an old P4 machine, and when I changed some system setting that SELinux didn't like, the machine was brought to its knees.
Not worth the extra processing power on a media box.
Mon chien, il n'a pas du nez. Comment scent-il? TrÃs mauvais!
Why link to a computerworld article about CERT's advice when you could link directly to the CERT article?
You must be new here.
Free Martian Whores!
So you're just perpetuating the the problem by ignorantly eliminating a [more] secure configuration out of the box.
Perhaps you should learn to correct the issues at hand, rather than throw the baby out with the bath water?
Well, the most secure configuration is to turn the power off. But I've eliminated that [more] secure configuration because I actually want to use the machine.
It is behind a firewall and a NAT table, and its primary network interface will be used to pull files over a LAN. In this case (and especially considering the older hardware) I just don't see that SELinux overheads are worth the supposed benefit.
Mon chien, il n'a pas du nez. Comment scent-il? TrÃs mauvais!
SELinux goes a long way toward containing viruses, as long as the distro maintains decent default policies. For example, only files from the Mozilla packages should be able to modify ~/.mozilla/ or any files in that directory, and Fedora's SELinux policy puts those files in their own context.
So, when I want to use vi to edit one of the text files that are used to configure Firefox, I can't?
Although this might be more secure, I call it just a pain in the ass. Most of the SELinux policies fall into this category, although a few are just a pain in the ass without being any more secure. Add the following to your .bashrc to work around one of them:
iptables-save() {
/sbin/iptables-save $* | cat -
}
If this same sort of hack works with the Mozilla SELinux policy, then all you would need to do is read the files from the ~/.mozilla directory, write out any changes to someplace like /tmp, then "download" the files from /tmp using Firefox and store it in the correct place in ~/.mozilla. I'll bet, though, that all that would be required is the "pipe it through a trusted program" hack would work, too.
Neither article describes how to stop the autorun.inf file from being processed on all removable media
So, IS there a way to stop the autorun.inf file from being processed on all removable media?
And I think that is the main point made by the article - yeah, sure, with a bit of spin too. With all the qualifications you have on your statements, you are technically correct. However, if there are no clear instructions on how to stop the autorun.inf file from being processed on ALL media, removable or otherwise, Microsoft should provide them or explicitly say that it isn't possible. And the researchers could probably approach Microsoft in a less accusatory manner. People just want to keep their systems safe.
How does that help with "bash foo.sh"?
Although it is definitely a good idea to install the patch it will neither guarantee that no host in your environment gets infected nor does it guarantee that it will not spread within your network.
The worm propagates not only via the SMB vulnerability but also via autostart.inf on removeable media and network shares and tries to brute force your Admin$ shares with the Administrator account.
So, disabling autostart is indeed a very good idea additionally to patching the SMB vulnerability.
... don't add up.
In an alert issued on Monday, US-CERT said Microsoft's instructions on turning off Autorun are "not fully effective" and "could be considered a vulnerability."
[several paragraphs later]
Instead, users should make a different modification to the Windows registry, US-CERT said. In the alert, it gave the new value as well as instructions on how to copy it to Windows Notepad and import it into the registry.
Hey, Computerworld editors (and to whomever else it may concern): when you finally tell the reader that the alert contains information the user wants to know, it might be a good idea to link to that source again so the reader doesn't have to search back in the article to find the previously supplied link. Further, I'd suggest using a link to the named anchor when available where the solution is provided to make it even easier.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Still, a much lower percentage will be able to go through all these hassle to infect themselves.
Besides, downloading and launching crap is true for (ex)-windows users as this OS has download-and-click installation principle.
Let a user start with Linux and he'll know that you install programs via package manager aka Install programs. Downloading and launching random crap simply isn't normal practice.
TweakUI is just a GUI frontend for registry settings. The TweakUI setting for AutoRun/AutoPlay is just setting the value for the NoDriveTypeAutoRun registry key, which does not work properly, as outlined in the alert.
Yeah, the US-CERT bulletin linked in the summary does actually disable processing the autorun.inf file. DISA put forward the recommendation last month to change that setting. I've tested it in the lab at work and it seems to do the trick.
I think everyone is taking this thing way over the top, the registry key setting has been known for a while now, as evidenced by this 2007 article. Users, the industry, etc just love to hate Microsoft and create panic to generate web hits. Granted MS could have came forward right away and said "in addition to the patch, make this regedit to really make sure you're safe", but it is what it is.
"bash foo.sh" is itself a script that needs the executable bit set, so it does help.
However I think the -x excuse for security on Linux is bogus.
First of all, it was not designed for that. It was designed so that a shell could quickly read all the executable commands into memory so that they could be instantly located when the user typed a command, and memory was limited so adding this so that non-executable commands were thrown out immediatly helped. If it really was a security mechanism I think bash itself might insist on foo.sh having the bit set.
Second if it were not for seeing what happened with Windows, I'm sure the people writing Firefox or Mozilla would have, without a second thought, added a feature so any downloaded executable file got the bit set for you. Or people writing finders would have made it so double-clicking, once it identified the file as an executable or shell script, would conveniently turn on the bit for you. This would have been considered a way to make it more user friendly.
"So, when I want to use vi to edit one of the text files that are used to configure Firefox, I can't?"
/tmp, then "download" the files from /tmp using Firefox and store it in the correct place in ~/.mozilla. I'll bet, though, that all that would be required is the "pipe it through a trusted program" hack would work, too."
Not necessarily; you can make a policy that allows vi to edit those files. Policy tuning is tricky though, and you don't want to accidentally create an attack vector (not that Vi is a likely vector, but another editor might be).
"Although this might be more secure, I call it just a pain in the ass."
I have heard the same about using a non-root account. Security always takes away some convenience. "If this same sort of hack works with the Mozilla SELinux policy, then all you would need to do is read the files from the ~/.mozilla directory, write out any changes to someplace like
This is the idea -- you want to ensure that if something is writing to those files, and it is potentially dangerous, it is something that users need to have some minimum level of knowledge to do. Firefox writing to those files is normal; vi writing to them is potentially abnormal, and so you want to ensure that if it does happen, it is being done by someone who is aware of what is going on, or at least someone who is aware THAT it is going on. Without any SELinux policies, the edit could happen quietly, without the user ever knowing it happened.
Palm trees and 8
What makes you think the virus writers did think to delete the file before trying to write the new one. Are you assuming they are stupid?
Kudos to whomever it was at US-CERT that had the balls to take on Microsoft on this. I thought all US-CERT stuff about Windows had to be filtered through the Microsoft PR department, but this gives me some new respect for the organization.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
and it doesn't work. For folks wanting to do this on hundreds of machines: .reg file clicky method, the value that the data gets written to is (Default), not @. When reg.exe is used and @ is the target, a @ value gets created, and (Default) is blank. Using "(Default)" for the value with reg.exe creates a new (Default) entry, so there are two (Default)s in the registry. Nice. The trick is to use an empty value (/ve). So, a good reg.exe looks like:
/ve /d "@SYS:DoesNotExist"
When using "@" as the target value name with the GUI
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
Then it works. It would have been nice if the CERT folks had explained in detail the magic that the "@" in their registry file did; not all of us are Windows gurus.
This is the idea -- you want to ensure that if something is writing to those files, and it is potentially dangerous, it is something that users need to have some minimum level of knowledge to do.
No, that's stupid, because a malware writer certainly has the requisite level of knowledge to bypass the problem. The "iptables-save" example I gave was something I ran into the first day I used an SELinux-enabled system, and it took me all of 10 minutes to figure out the workaround.
So, now you have a user who thinks that as long as there is no SELinux warning, the system is safe. Well, at least's it's better than the UAC warnings, which allow the user to blindly click and let the malware run.
Add in the fact that most (if not all) of the default policies are just plain stupid (why is it OK to "cp" over a file in /var/lib/dhclient but not "mv" over it?), and you see why the first thing most admins do is disable SELinux.
Without any SELinux policies, the edit could happen quietly, without the user ever knowing it happened.
I think you are a bit confused. Once a malware writer figures the workaround, then there is no SELinux log that anything happened, because SELinux only logs "prevents" by default. And, although you can have it log "permits", nobody has that much disk space.
We disable autorun via group policy already, what exactly is missing without this patch?
The ability for the autorun-disable GPO (or registry setting) to _actually_ disable autorun. The buggy GPO/registry settings disabled the auto-popup, but when you double-click on a drive in "My Computer", Autorun.inf is still accessed, and the executable it references is still run. If the executable uses the standard drive icon or folder icon, many people won't think twice about double-clicking versus right-click-open.
Oh I'm not saying it's a cure-all for ALL potential viruses ... I'm just saying that it seems to work for the current ones doing the rounds precisely because the virus writers HAVEN'T thought of that yet.
Hmm, in that case I might be ok. Double-clicking on a CD-ROM in My Computer just opens the folder with this policy in place, and the Autorun entry is completely gone from the right-click menu.
I wonder if there's been a stealth patch somewhere. I read that this *is* deployed for Vista & Server 2008 as part of another patch, so I wonder if it snuck in.
It doesn't seem to be required for Vista either. Manual download and installation required.
Good point, if it appears to work on current ones. Do those flags help, or is it mostly that the file is a directory? I would think if the virus writer did the work to get rid of a directory, they would also think to ignore any protection those flags provide. If those flags do provide added protection against rmdir, it might help to *not* turn them on, as maybe some will notice that they have to delete the file but not think to do whatever is needed to avoid the flags. Then you can use the flags later once you start seeing ones delete the file.
I'm guessing that just a regular file with the hidden bit set will not work, as that is something the virus writers are doing already, and each virus wants to wipe out the other ones and put their own on.
"No, that's stupid, because a malware writer certainly has the requisite level of knowledge to bypass the problem. The "iptables-save" example I gave was something I ran into the first day I used an SELinux-enabled system, and it took me all of 10 minutes to figure out the workaround."
/var/lib/dhclient but not "mv" over it?), and you see why the first thing most admins do is disable SELinux."
And now the malware writer must convince the user to do something that the user was not planning to do, beyond simply opening the virus. Now the user must open virus, then write their own SELinux bypass on the malware author's instruction, and only then can the attack be completed. I never said this would cure every possible attack, I said it helped.
"Add in the fact that most (if not all) of the default policies are just plain stupid (why is it OK to "cp" over a file in
Not if they are competent when it comes to security. Mandatory ACLs and auditing are not something most sysadmins who have security concerns want to disable, especially when there is option of permissive mode which leaves auditing enabled. Sysadmins who are hoping that their firewall is enough to keep them secure -- the sort of thinking that has viruses spreading on USB keys -- might be turning SELinux off, but not anyone with more experience than that, unless they prefer some other ACL/auditing solution.
Besides, I thought this was a conversation about non-enterprise users, who do not have sysadmins there configuring their computers?
"I think you are a bit confused. Once a malware writer figures the workaround, then there is no SELinux log that anything happened, because SELinux only logs "prevents" by default. And, although you can have it log "permits", nobody has that much disk space."
Except that the workaround will require social engineering, assuming a reasonably sane SELinux policy from the distro, which is the best one can hope for in a non-enterprise installation. Social engineering is not a problem that can be solved by SELinux, nor is SELinux intended to solve it. For home users, SELinux prevents quiet attacks (or should prevent them if the distro policy maintainers are decent, like Dan Walsh), and for enterprise users it allows the effects of social engineering to be dulled and the user who was "engineered" to be traced more easily.
Palm trees and 8
For those of us who were doing computing in the early 90s, USB-propagated viruses shouldn't be any surprise; they're just a rediscovery of the floppy disk viruses that used to be so popular. After all, it's a way to move files between machines, and also a way to move file systems with arbitrary contents that the operating system looks at before the user does. So if the OS is vulnerable, or if the files are opened by programs that treat data files as executable code, then you're open to trouble.
The "Jerusalem B" virus showed up a year before the Morris Worm. It was the first PC virus I met in the wild, around 1990, when a coworker's PC got infected by a floppy he brought in from home, where his home PC was infected by a floppy his kid brought home from school or from the kid's friends, probably with some pirated game software.
Most of the files people move around on USB sticks where I work are Microsoft Office documents, either Powerpoint or Word, and the most common time they're used is between a sales person and a customer, for instance to hand off an electronic copy of an RFP (too big to email), or to hand off a Powerpoint presentation to the person running a projector at a meeting (because the customer's LAN or wireless doesn't support adequate guest access for the sales person to connect to his email system and email it, or just because it's faster.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It took him 5 days to bork Linux? :P
How long with a unaltered XP installation?
Next time give him Linux *without* the root password.
He doesnt need it to use the computer and he cant bork it then.
He would probably have more flexibility than your locked down XP.
The second article (the one on NoDriveTypeAutoRun) is actually for how to disable AutoRun. The problem is that even Microsoft themselves conflates the terms AutoRun and Autoplay. If you look at the article, you will notice that it was written for Windows 2000. AutoPlay was not introduced until Windows XP. So basically, you've got an article that uses the term "Autoplay" before the feature was released or publicly known.
So although the NoDriveTypeAutoRun article uses the term "Autoplay," it should be interpreted as meaning "AutoRun." The setting does not disable AutoPlay as most people understand it (the menu with multiple choices as for what to do with a plugged-in device). Now, the main issue here is that the article is not accurate, as Windows does not actually fully obey the setting unless a special update, which is not automatically deployed via Microsoft Update for all systems, is installed.
Did Downadup/conficker attack your network? I've created a batch file for system administrators to clean/patch/cure infected systems in their networks. check it out here: http://extremesecurity.blogspot.com/2009/01/beat-downadupconficker-like-pro-my.html
So you are implying /bin/bash is not executable?! Please!
You see, it does not matter whether foo.sh has execute bit on or not.
I'm saying that if the worm can execute "bash foo.sh" it can also execute "rm -rf ~" and other bad stuff.
And now the malware writer must convince the user to do something that the user was not planning to do, beyond simply opening the virus. Now the user must open virus, then write their own SELinux bypass on the malware author's instruction, and only then can the attack be completed.
Do you not understand the point I was making? The "bypass" is that the malware author needs to add "| cat -" on to the end of a "protected" command. Once you get the user to execute the "malware installer", it's over, since that script can now do anything that the executing user can do. If the executing user has the ability to run as root (like having run sudo recently), it's really over.
SELinux can't protect against anything if you are running as root, since root, by definition has to be able to do everything. So, there is some workaround for every SELinux "protection". The only actual protection a *nix system has is the file system protection, and the fact that non-root users can't just write willy-nilly to any file.
Not if they are competent when it comes to security. Mandatory ACLs and auditing are not something most sysadmins who have security concerns want to disable
SELinux doesn't provide mandatory ACLs. Only the file system provides true mandatory protection, as even root can't bypass them (especially ext3 attributes), although they can change them. The fact that I, as a non-root user, can bypass even one SELinux "protection" without having elevated privileges means it isn't "mandatory".
In addition, the only auditing that ever happens is when SELinux prevents something from happening. What about all the things that don't trigger a failure but are "bad"? How do you know they have happened. Oh, yeah, you don't, at least not from SELinux.
It's frightening that Windows has better auditing built in (although sadly not enabled by default) than even "SEcure Linux".
Except that the workaround will require social engineering,
If by "social engineering", you mean "convincing someone to in some way download your malware", then you are correct. But, that's pretty much a given for any malware, so I don't see what extra effort is required by the malware author to infect an SELinux system.
If you download an RPM or DEB and then double-click it from a GUI, it will install, after maybe asking you for a password (depending on the settings for sudo and sudo-like systems...whatever password it is asking for may be cached). If that installation process runs as root, then it can do anything and SELinux won't stop it, as any malware author will have written the install to bypass any SELinux "protection" with trivial hacks. Hell, it could even permanently turn off SELinux as part of the install (by adding "selinux=0" to the kernel command line in the bootloader).
Part of the problem with SELinux is that it really needs some good policies. How about "log every change or attempted change to any file in /bin, /sbin, /usr/bin, /usr/sbin"? With a re-direction of syslog to another machine, that's something that would be hard to get by. Sure, you could still have malware, but at least you'd know about when the change happened.
Or, how about an SHA1 hash of all the binaries and some sort of daily scanner to verify? These are real ways that you can at least know if your system is compromised, and maybe even stop it.
Last, SELinux does nothing to prevent local users from working on exploits, since they can find out exactly what the policy is and not trigger anything.
For home users, SELinux prevents quiet attacks (or should prevent them if the distro policy maintainers are decent, like Dan Walsh)
If Dan Walsh is responsible for the useless policies installed by default in Fedora 10, then your definition of "decent" is far different from mine. All they do is annoy users, while any malware writer will be able to come up with workarounds that allow install of the malware with no red flags being raised.
"Do you not understand the point I was making? The "bypass" is that the malware author needs to add "| cat -" on to the end of a "protected"" command."
Not sure which distro you are using, but on my Fedora 10 system, I got identical denials with or without your "workaround." Do you understand what you are talking about?
"The fact that I, as a non-root user, can bypass even one SELinux "protection" without having elevated privileges means it isn't "mandatory"."
Except as we have just seen, your workaround does not work. How about you first find something that actually works?
"If by "social engineering", you mean "convincing someone to in some way download your malware", then you are correct. But, that's pretty much a given for any malware, so I don't see what extra effort is required by the malware author to infect an SELinux system."
How about the part where the user needs to edit their SELinux policy, put SELinux in permissive mode, or disable SELinux for certain attacks to be successful? Like I said, find a way to quietly walk around SELinux, then we'll talk.
"If Dan Walsh is responsible for the useless policies installed by default in Fedora 10, then your definition of "decent" is far different from mine. All they do is annoy users, while any malware writer will be able to come up with workarounds that allow install of the malware with no red flags being raised."
Yes, trolls come on to our mailing list (fedora-devel-list) all the time trying to make this point. You can read the flamewars in our archive if you are interested. Like I said, come up with a workaround that actually works its way around SELinux, then we'll talk.
Palm trees and 8
The user can run, as explained in an e-mail, "save britney.mpg and do 'bash britney.mpg'". No matter about noxec, no matter whether firefox or thunderbird puts +x on the file, no matter what (and as we all know the virus would spread).
This was what I was complaining about originally (noexec gives very little help against viruses).
The noexec is advantageous only on hot-pluggable drives if at all (disabling executables on USB drive can be a nuisance).
you do realize that both of those Wikipedia links point to the same page, right?
AutoRun and AutoPlay have always been pretty much synonymous, though Microsoft now uses AutoPlay specifically to refer to the menu that pops up when autorun.inf is parsed. but there are no distinct settings for enabling/disabling AutoPlay versus AutoRun. the registry settings that enable or disable AutoPlay on specific drives are in fact the AutoRun settings.
I'm fully aware both links when to the same page. However, these days Autoplay != Autorun. Autorun is the setting that parses the autorun.inf file when media is inserted and runs whatever it's told to. Autoplay searches inserted media for audio/video/picture files and ask if you want to launch them in their respective player/viewer. Both bring up the same prompt (depending on your settings), but both perform different functions.
System -> Preferences -> Removable Disks and Media -> un-click Auto-run and Auto-open.
There. Easy, ain't it?
Off course that's on Ubuntu.