dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4543
share rss forum feed


Metatron2008
Premium
join:2008-09-02
united state
reply to scross

Re: [rant] Dont they get it - its not just the hardware

said by scross:

said by Metatron2008:

The reason why hackers attack the microsft OS is simply due to market share.

This is a BS argument. The reason why hackers attack Microsoft is because it's such an easy target, with a huge attack surface - historically, at least (things MAY be a bit better these days). Maybe a lucrative one, too, today, but I remember the days when hackers did this just to show each other up, not for any particular gain. This crap started well before Microsoft had anything like the market share that it has today, and well before things were interconnected like they are today.

This goes back to the DOS days, in fact, and I remember running around doing emergency virus scans on various DOS PCs because of some presumed drop-dead date for a virus attack. I've never had to do anything like this on any other platform that I've ever worked on.

Not only is your age showing as Thaler said, but at conventions where hackers show each other up, like pwn to own, micorosft os's usually get hacked after the other os's are, or at the least after safari does.

Don't believe me?

»www.zdnet.com/blog/security/macb···-own/984

Macbook air falls in 2 minutes

»www.zdnet.com/blog/security/pwn2···ll/10588

pwn 2 own 2012: google chrome browser first to fall

»en.wikipedia.org/wiki/Pwn2Own

quote:
After the successful 2007 contest, the scope of the Pwn2Own contest was expanded to include a wider array of operating systems and browsers in 2008.

Outcome
The laptop running OS X was exploited on the second day of the contest with an exploit for the Safari browser co-written by Charlie Miller, Jake Honoroff and Mark Daniel of Independent Security Evaluators. Their exploit targeted an open-source subcomponent of the Safari browser.
The laptop running Windows Vista SP1 was exploited on the third day of the contest with an exploit for Adobe Flash co-written by Shane Macaulay, Alexander Sotirov, and Derek Callaway.
The laptop running Ubuntu was not exploited.
own 2 pwn 2009 outcome:

quote:
On the first day of the contest, the first contestant to be selected was Charlie Miller. He exploited Safari on OS X without the aid of any browser plugins[21]. In interviews after winning the contest, Miller stressed that while it only took him minutes to run his exploit against Safari it took him many days to research and develop the exploit he used[22]. Miller won the MacBook Air as well as $5,000 for reporting his vulnerability to ZDI[23].
Continuing the random drawing on the first day of the contest, a researcher identified only by Nils was selected to go after Miller. Nils successfully ran an exploit against Internet Explorer 8 on Windows 7 Beta without the aid of any browser plugins, winning the Sony Vaio laptop and promising his vulnerability to ZDI for $5,000. In writing this exploit, Nils had to bypass an array of new anti-exploitation mitigations that Microsoft had implemented in Internet Explorer 8 and Windows 7, including Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR) [23][24].
After exploiting Internet Explorer, Nils elected to continue trying his luck with the other browsers before giving up his time slot. Although Miller had already exploited Safari on OS X, Nils exploited this platform again and claimed an additional $5,000 prize from ZDI[23][25].
After exploiting Safari, Nils moved on to Firefox and again exploited this platform without the aid of any browser plugins.

Chrome, as well as all of the mobile devices, went unexploited in Pwn2Own 2009
»downloadsquad.switched.com/2010/···tanding/

quote:
Pwn2Own 2010 is under way, and after day one of the annual security showdown the results are darn near an exact replica of last year's. Safari was the first to fall, followed by Internet Explorer 8 on Windows 7. Firefox on Windows 7 x64 was also taken down, as was the iPhone's mobile Safari. Google Chrome, however, has yet to succumb.

Once again, it's Chrome's sandbox which is making things difficult. At last year's Pwn2Own, Charlie Miller had this to say:
"There are bugs in Chrome but they're very hard to exploit. I have a Chrome vulnerability right now but I don't know how to exploit it. It's really hard. They've got that sandbox model that's hard to get out of. With Chrome, it's a combination of things - you can't execute on the heap, the OS protections in Windows and the Sandbox."
»www.washingtonpost.com/blogs/fas···log.html

quote:
The first browser to get hacked was Apples Safari. As Ars Technicas Peter Bright wrote on Thursday, the almost-current 5.0.3. version of Safari, running on an up-to-date copy of Mac OS X 10.6.6, succumbed to a malicious page written by researchers with VUPEN, a French security firm, in a few seconds.

They proved the attack by remotely launching the Macs Calculator program and writing a file to the MacBook Airs flash drive — earning them the right to keep the laptop, as per the contests rules.

Microsofts Internet Explorer 8, running on Windows 7 updated with Service Pack 1, fell later that day. Brights report notes that the IE 8 hack involved more exploits and took five to six weeks to construct, against two for the Safari exploit.

On the second day of Pwn2Own (organized by HPs Austin-based TippingPoint DVLabs subsidiary and held at the CanSecWest conference in Vancouver every year), the iPhone 4 and a BlackBerry Torch smartphone also suffered successful hacks. Although the iPhone 4 was not running Apples just-released iOS 4.3 — the contest rules only required that the target device be running software current as of the week before — the vulnerability exploited in the attack exists in 4.3, too.

Theres not much interpretation needed for these results, right? Apples Mac OS X is a dangerously insecure platform — its been successfully hacked at Pwn2Own every year since its debut in 2007 — that should be avoided if you dont want your computer to get taken over by a drive-by download.
»www.cnn.com/2011/TECH/mobile/03/···dex.html

Hacking competition leaves Android, Windows Phone 7 undefeated

pwn 2 own 2012:

quote:
At Pwn2Own, Chrome was successfully exploited for the first time. VUPEN declined to reveal how they escaped the sandbox, saying they would sell the information.[41] Internet Explorer 9 on Windows 7 was successfully exploited next.[42] Firefox was the third browser to be hacked using a zero day exploit.[43]
Safari on Mac OS X Lion was the only browser left standing at the conclusion of the zero day portion of pwn2own. Versions of Safari that were not fully patched and running on Mac OS X Snow Leopard were compromised during the CVE portion of pwn2own. It should be noted that significant improvements in the security mitigations within Mac OS X were introduced in Lion.
Except for the zero day exploit in IE9 for 2012, most hacking attempts on IE took weeks to do, and usually were based on flash exploits, while safari was always hacked first, except for the 2012 contest.

So, did you have anything on topic to say, or are you just here to bash Microsoft, no matter how wrong you actually are?


Metatron2008
Premium
join:2008-09-02
united state

1 recommendation

Which it should also be mentioned, that chrome for many years didn't get touched. Linux also never gets hacked, although linux also has really low customer base and is made by people who are usually hackers....

OSX gets creamed pretty much always, which coming from a guy talking about getting OSX while complaining about how insecure Windows is, is about the most hilariously dumb thing I've read all day.



skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS

1 recommendation

reply to Metatron2008

So after all that quoting we come to the most recent contest where Chrome, IE and FF all fell on zero day but Safari was left standing thanks to recent improvements? I don't really care much what things were like in 2007 and more about how they are now.



JohnInSJ
Premium
join:2003-09-22
Aptos, CA

said by skeechan:

So after all that quoting we come to the most recent contest where Chrome, IE and FF all fell on zero day but Safari was left standing thanks to recent improvements? I don't really care much what things were like in 2007 and more about how they are now.

You do recall this recent one, right? »www.theverge.com/2012/9/26/34107···-exploit - it was only a month ago.
--
My place : »www.schettino.us


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS

Uh, that would be Oracle and Java runtime doesn't ship with OS X and hasn't for over a year (since 10.7.0). As far as I know, Windows doesn't ship with JRE either. In both cases, Oracle Java has to be downloaded and installed by the user just like any 3rd party application.

That's like blaming OS X and Windows for Flash vulnerabilities when Flash doesn't come installed in either OS.



JohnInSJ
Premium
join:2003-09-22
Aptos, CA

said by skeechan:

Uh, that would be Oracle and Java runtime doesn't ship with OS X and hasn't for over a year (since 10.7.0). As far as I know, Windows doesn't ship with JRE either. In both cases, Oracle Java has to be downloaded and installed by the user just like any 3rd party application.

That's like blaming OS X and Windows for Flash vulnerabilities when Flash doesn't come installed in either OS.

Browser-based zero day exploits use the browser to gain local access, and then use a local elevation to gain access. This is a real zero-day exploit. I don't "blame" anyone, the zero-day stuff is out there, and it matters little if the conduit is Java or social engineering. The OSes are as vulnerable as the user behind the keyboard is willing to make them. All of them. As soon as the user is convinced to click "allow" game over.
--
My place : »www.schettino.us


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS

3 edits

Oracle Java does not ship on these systems. Java runtime is not Javascript. They are completely unrelated. Meanwhile yeah, if a user chooses to install malware, the OS will permit it. But that isn't an exploit. What you describe (user clicking install) is the system behaving as it should, installing software at the user's request. Even then, what you propose won't work with OS X because unsigned stuff won't install without additional user intervention (Gatekeeper), even more so than UAC because there is no "Allow" in Gatekeeper like there is UAC. You actually have to turn it off and then reattempt the install (or start over with the install and use a contextual selection to bypass gatekeeper when installing).



skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
reply to scross

An imperfectly secure system is not secure. Someone adept at picking locks can open any lock meanwhile even the worst lock is good enough to keep those who aren't adept at picking locks from getting it open.



JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to dellsweig

And to keep this relevant to iOS... every iOS version so far has eventually be jailbroken, which means, yes, exploited to gain root. So, iOS isn't immune either.
--
My place : »www.schettino.us



skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2

JBing requires physical access to the device.



JohnInSJ
Premium
join:2003-09-22
Aptos, CA

said by skeechan:

JBing requires physical access to the device.

And it still gains root even with the app walled garden. "Physical access to the device" == web browser + user clicking OK. So essentially all systems are only as secure as their users.
--
My place : »www.schettino.us


Uncle Paul

join:2003-02-04
USA
kudos:1
reply to dellsweig

There are zero days for sale/trade for every OS. Most deal with third party software most users have on their system. However, most of the time I don't need to do anything overly cleaver. The user is more than happy to provide me with their credentials or install my software because I've told them something semi legit or feeds to their likes/fears.

The argument that market share isn't a driver is naive. It's not about technology (see above), it's about money. It's all about the money. Organized crime, bot masters, and spammers want your system and typically get access via drive by unpatched third party (Flash, Java, Adobe Reader) or social engineering via phish or pop ups. These entities are going to go after the largest market share using hijacked and rotating domains that come and go on a daily if not hourly basis. We're starting to see an uptick in OSX as it gains market share. A lot of this is due to Apple's slow patch times and reluctance to validate the threat (marketing has recently changed some on this). APT is something completely different and deserves it's own security thread all together.

It's a device.. a tool. There are situations where Windows is the perfect tool to use. Other times Linux or Unix. And, depending on what you're doing.. Apple. IT and technical people for some strange reason want to lock themselves into this view where what they personally like is the 'best' way. I always find it funny how people need to validate themselves over how long they've 'been in the business' and what ancient systems they've worked on just to try to alpha others. Bottom line is you pick the tool for the environment and task... You don't use a 10 penny nail when a nice trim nail will work.

From a personal point of view, I've built my desktop at home on Windows 7, my laptop on Linux, all about the same time as we got my wife her Macbook Pro. We've had more issues with OSX than with my Windows 7. My oldest (8) has a Windows 7 laptop I've had to clean malware off twice. In my daughter's case it was the user. In my wife's, the OS and applications (even those from Apple). My Linux, while gets a good share of updates too, has never been a problem... but then it has some very specific tasking and isn't as multifaceted as the other three.



skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS
reply to JohnInSJ

Seriously? You don't see the Universe of difference between having physical access to the device and remote access to a device? You don't see the world of difference between a drive by attack and one that requires significant user intervention?

Again, a user clicking OK is not an exploit. That is EXACTLY how the system was designed to function.



JohnInSJ
Premium
join:2003-09-22
Aptos, CA

said by skeechan:

Seriously? You don't see the Universe of difference between having physical access to the device and remote access to a device? You don't see the world of difference between a drive by attack and one that requires significant user intervention?

Again, a user clicking OK is not an exploit. That is EXACTLY how the system was designed to function.

»en.wikipedia.org/wiki/Phishing
»en.wikipedia.org/wiki/Social_eng···urity%29
»en.wikipedia.org/wiki/Exploit_%2···urity%29

"significant user intervention" is simply agreeing to an elevation prompt, which you've agreed to with no understanding at all already a million times. Not you, personally, but the average user.

Or, to sum it up:

--
My place : »www.schettino.us


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS

1 edit

Ah, the gospel of Wikipedia without understanding what you are pasting.

Again, that isn't an exploit, those aren't exploits. That is how the OS is designed to run...install programs on USER REQUEST. A stupid user isn't an exploit, it's an attack vector...two COMPLETELY different concepts. Exploits are actual system vulnerabilities. Attack vectors are the methods of getting into a system. Attack vectors can include exploits, but also include non-exploits such as idiotic users. In fact social engineering is used as an attack vector BECAUSE systems are largely secure from exploits.

And with OS X, it isn't simply agreeing to an elevation prompt like UAC in Windows.

With OS X, in addition to having to enter a user PASSWORD, you also have to DISABLE GATEKEEPER as malware isn't signed and WILL NOT INSTALL. Even a copied app won't first-run unless cleared by gatekeeper. And even after disabling gatekeeper, you have to start the install process all over again.

If I set up a wireless router but don't bother changing the default password, is that an exploit? No. It is how the system is designed to function.

Installing software at user request or with other intervention is not an exploit.


scross

join:2002-09-13
Cordova, TN
reply to Uncle Paul

said by Uncle Paul:

There are zero days for sale/trade for every OS.

The argument that market share isn't a driver is naive. It's not about technology (see above), it's about money. It's all about the money. Organized crime, bot masters, and spammers want your system and typically get access via drive by unpatched third party (Flash, Java, Adobe Reader) or social engineering via phish or pop ups. These entities are going to go after the largest market share using hijacked and rotating domains that come and go on a daily if not hourly basis. We're starting to see an uptick in OSX as it gains market share. A lot of this is due to Apple's slow patch times and reluctance to validate the threat (marketing has recently changed some on this). APT is something completely different and deserves it's own security thread all together.

It's a device.. a tool. There are situations where Windows is the perfect tool to use. Other times Linux or Unix. And, depending on what you're doing.. Apple. IT and technical people for some strange reason want to lock themselves into this view where what they personally like is the 'best' way. I always find it funny how people need to validate themselves over how long they've 'been in the business' and what ancient systems they've worked on just to try to alpha others. Bottom line is you pick the tool for the environment and task... You don't use a 10 penny nail when a nice trim nail will work.

From a personal point of view, I've built my desktop at home on Windows 7, my laptop on Linux, all about the same time as we got my wife her Macbook Pro. We've had more issues with OSX than with my Windows 7. My oldest (8) has a Windows 7 laptop I've had to clean malware off twice. In my daughter's case it was the user. In my wife's, the OS and applications (even those from Apple). My Linux, while gets a good share of updates too, has never been a problem... but then it has some very specific tasking and isn't as multifaceted as the other three.

Zero-day exploits may very well exist for every consumer-grade OS, but not many exist (if any at all, or for very long at all, generally) for enterprise-grade operating systems. (That's an old-school "alpha" term, BTW, which you may not understand. Many consumer-grade systems aspire to be - or even claim to be - enterprise-grade, too, but they rarely make the cut.)

And I stand by my market share statement. There were old-school systems out there that had plenty of market share well before Microsoft became the big dog, and they never suffered from the numbers and kinds of exploits that hit Microsoft from the very beginning - mostly because they actually cared about integrity and security (they had to; it was a requirement for them to even get in the front door) while Microsoft didn't want to know and didn't care (plus they came in through the back door, at least at first). Any concerns that Microsoft has for this now came rather late in the game.

I agree with you about Apple and any known holes in their systems. There is simply no excuse for not patching this stuff as quickly and as reliably as possible - marketing BS be damned! And they're not doing themselves any favors here today by keeping their head in the sand, obviously, but hopefully they are learning their lesson now.

One of the benefits of being an old fart vs. a young turk is that we generally have a wide range of experience and the benefit of historical perspective, which the young folks lack. For example, it just floors me that kids today equate "computer" with "PC", because they don't have an effing clue that any other computer type exists or has ever existed, or that for every PC out there there are easily ten times as many non-PC systems that they interact with on a daily basis, only these do their work quietly and invisibly, for the most part. But being in the business as long as I have means that I've worked on a lot of stuff - stuff that might make a young turk literally run away in fear and loathing (no joke, because I've seen this very thing happen, and it's a good way of separating the men from the boys).


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to skeechan

said by skeechan:

Ah, the gospel of Wikipedia without understanding what you are pasting.

So, you're a security expert? I posted from wikipedia because they use small words.
--
My place : »www.schettino.us


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS

1 recommendation

Evidently more of one than thou art. You copied from Wikipedia without understanding what they're talking about.

Dumb users aren't exploits and I explained why. User installed 3 party software isn't an OS exploit and I explained why. If you can't understand these simple things, I can't help ya.



JohnInSJ
Premium
join:2003-09-22
Aptos, CA

1 recommendation

said by skeechan:

Evidently more of one than thou art. You copied from Wikipedia without understanding what they're talking about.

Dumb users aren't exploits and I explained why. User installed 3 party software isn't an OS exploit and I explained why. If you can't understand these simple things, I can't help ya.

I totally understand that trivial point, which is orthogonal to the basic security issue. Social engineering to gain access to a system as a local user, which then begins a cascade of exploits running locally to escalate privileges, etc. is the most common method for breaching any OS. Including *nix systems. Or iOS. Or OSX. If a user used any modern system that was kept fully patched, and never executed an untrusted app, they'd all be equally secure.
--
My place : »www.schettino.us


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2

LOL, okay sport.



Metatron2008
Premium
join:2008-09-02
united state

So what exactly is your security credentials skeechan? Any experience with software?

While making software, sometimes yes, you can miss bugs, but having the ability to add things is always the biggest issue.

Have any experience with IT? Because not only did those guys at pwn 2 own hack using social engineering (Exploits were mainly found by adding such things as java and flash), but doing a quick search online:

»blogs.avg.com/consumer/social-en···nsumers/
»www.technibble.com/the-social-en···ecurity/

quote:
While these tools are necessary, there is one element that they still can’t protect – the human element. A solid fortress of hardware protection, updated anti-virus, and long cryptic passwords won’t do any good if you simply give the bad guys (or girls) the information they are looking for.
Social engineering is one the biggest threats (if not the biggest threat) to computer security
»www.computerworlduk.com/in-depth···-threat/

»www.computerworld.com.au/article···_threat/

quote:
Social engineering remains biggest cyber threat
99 per cent of cases could be avoided with basic use of cyber security best practice, according to the AFP
So again, what are your security credentials skeechan? or work in software, that you would deny what is a known fact in the security field?


Metatron2008
Premium
join:2008-09-02
united state

1 recommendation

Here's the simple fact about security:

Sometimes (But rarely) actual exploits happen from the OS itself. Not exploits from 3rd party software, but exploits from programs in the OS.

The problem is, that's actually very rare. If you surf the web as a non elevated user and not admin, don't use flash or java, and don't download stuff, you are pretty much safe.

The problem is, people will check their email, and find that people want them to download things because they've 'won a million dollars', or they will enlarge their penis...

Or they see a game online, or are illegally downloading software (And somebody added something to it), etc etc etc.



Uncle Paul

join:2003-02-04
USA
kudos:1

1 recommendation

reply to scross

said by scross:

Zero-day exploits may very well exist for every consumer-grade OS, but not many exist (if any at all, or for very long at all, generally) for enterprise-grade operating systems. (That's an old-school "alpha" term, BTW, which you may not understand. Many consumer-grade systems aspire to be - or even claim to be - enterprise-grade, too, but they rarely make the cut.)

Get over the attempted elitism, no one's buying. All of today's major OSs are enterprise grade. You may have to do some configuration based on the role, but they are all capable of being deployed in the enterprise.

said by scross:

And I stand by my market share statement. There were old-school systems out there that had plenty of market share well before Microsoft became the big dog, and they never suffered from the numbers and kinds of exploits that hit Microsoft from the very beginning - mostly because they actually cared about integrity and security (they had to; it was a requirement for them to even get in the front door) while Microsoft didn't want to know and didn't care (plus they came in through the back door, at least at first). Any concerns that Microsoft has for this now came rather late in the game.

I don't believe this is correct. Based on your comments, I'm going to assume you don't move much in pen testing/hacking kinds of circles. The cost of an exploit is based on several factors, but the two largest drivers (aside from age of the exploit and who you are) is the ease of deployment and target density (aka market share). You don't get as much for a SUSE Linux exploit that requires the user to execute a java applet than the same exploit on Windows 7. And, a Windows 7 exploit is worth more than a Windows ME exploit. The reason why no one does exploits for DEC Alphas isn't because the OS is so secure, but because it's not worth any money. If I pay you $20k for the exploit, I need to be able to deploy it, get marketable information from enough targets to sell before the exploit is told to the vendor and patched. It's all about the money.

said by scross:

One of the benefits of being an old fart vs. a young turk is that we generally have a wide range of experience and the benefit of historical perspective, which the young folks lack. For example, it just floors me that kids today equate "computer" with "PC", because they don't have an effing clue that any other computer type exists or has ever existed, or that for every PC out there there are easily ten times as many non-PC systems that they interact with on a daily basis, only these do their work quietly and invisibly, for the most part. But being in the business as long as I have means that I've worked on a lot of stuff - stuff that might make a young turk literally run away in fear and loathing (no joke, because I've seen this very thing happen, and it's a good way of separating the men from the boys).

I'm not quite sure if you're saying I'm a 'young turk' or just making a statement. I will say that you have me by a couple of years, but not really enough to make that much of a difference. When people think about security they more than often get really lost in the weeds and forget what security really is all about. Lets get out of the weeds for a moment and take a step back. Security is about managing risk. The most secure system is the one locked in a room without access and is powered off. Every step away from that is about managing the risk to gain in efficiencies. You can easily say that years ago everything ran on an IBM/VAX/WANG mainframe and was really secure. But truthfully it's just a straw man as the computing environment then isn't anything like it is now. In a way it's like saying a horse drawn carriage is more secure than a Ford Focus. One is pretty much isn't relevant now for more than a curiosity or in very specialized places. And, you simply can't use the same measure between the two.

Part of being in this industry means moving and changing with the environment. Having a historical perspective is a good, but I personally don't believe it's as valuable as you believe it to be. It's like me knowing how to program in Fortran. In today's world, it really doesn't matter unless I'm evaluating an application written in Fortran. The further back you go, the less relevant specific information is, and trending becomes more useful. We can go back a mere 15 years ago and look at the difference in centralized computing theory and security practices. Jump to today and we see what was a hard barrier between internal and external boundaries fade away. The effect of cloud based computing and SAS being adopted by business to handle core functions. Less internal IT staff and more vendors. The explosion of the internet with all the good and bad it's brought. Mobile systems in laptops, cell phones, and tablets. Wireless and remote access protections. Decisions around BYOD and security for managing data within those systems. The challenge of authentication and rights management across all of these federated systems. Support for thousand and thousands of different hardware pieces.

Personally I value honest objectivity in my employees over technology partisans. That objectivity is based on today's solutions, to meet today's challenges, across the enterprise with an eye on the market to see where vendors are positioning themselves for tomorrow's challenges.


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS
reply to Metatron2008

Again, we're talking about EXPLOITS.

An exploit is a vulnerability IN the system that causes errant or unpredicted behavior IN the system that allows a user to bypass security or privilege level.

You can be a Crayon eater and see that a stupid user installing software of their own effort is not an exploit. Nor is Java an OS exploit as it doesn't ship with either OS X or Windows. Hell, if we're going to install Java, why not just install the trojan and call the system 'hacked by exploit'? There is no difference.

The "human element" is not an exploit, it's an attack vector. The OS is operating AS DESIGNED in the situations you are describing.

For the final time, social engineering is not an exploit, it's an attack vector, just like actual OS exploits are attack vectors, vulnerabilities in Java are used as attack vectors.

In simpler terms, not all attack vectors are exploits but all exploits are attack vectors.



Metatron2008
Premium
join:2008-09-02
united state

Well fine. Call it what you want, that doesn't change the fact that social engineering is the biggest threat to online security today. Most OS's have very few (noticable) flaws when you get just the OS by itself.

Sure, no programmer is perfect, and if you paid enough money, somebody could find a flaw. Hell, you get some of the brightest american and jewish minds together and you can come up with stuxnet...

But it's simply easier to have an idiot install something.



skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS

OH yeah, no doubt. But that wasn't the point being made. A previous poster was basically blaming the OS for social engineering problems.

When talking about operating system vulnerabilities, which was what was being discussed, social engineering and 3rd party software is irrelevant...they aren't part of the operating system.

Microsoft isn't responsible for the swiss cheese Adobe and Oracle put out there. Apple isn't responsible for a user that downloads something, turns off gatekeeper, runs an installer and provides admin credentials. In these cases, Windows and OS X are running as designed. It's not Microsoft's fault someone CHOOSES to install software containing malware. That isn't an exploit. There is nothing to 'fix'.

You can't patch stupid. You can try with Gatekeeper and UAC, but stupidity is a very resilient condition.


scross

join:2002-09-13
Cordova, TN
reply to Uncle Paul

I note that you use the word "vendor(s)" three times in your post. That's very telling.


scross

join:2002-09-13
Cordova, TN
reply to Metatron2008

Concerning your "Pwn2Own" post, I've read many of these same things over the years so I pretty much know what the situation is. But I've always chuckled a bit over the results, because I tend to think of it more as "Of course they are going to attack the Mac first and hardest, because that's a prize actually worth winning!" (it has decent resale value, in any case), while the other prizes not so much.

But thanks for reminding me that Android has held up so well here, since these days I tend to think of it more as the future direction of computing. So that gives me warm fuzzies inside.



Uncle Paul

join:2003-02-04
USA
kudos:1
reply to scross

said by scross:

I note that you use the word "vendor(s)" three times in your post. That's very telling.

You might be surprised to note I've worked within the Federal space (DOE and DOD), the consulting space (Deloitte), and currently work with a state medical university and hospital (would like to be the place I retire from). I say vendor because there has been over the last 10 years a large shift away from internal application to COTS and outsourced IT functions. Within the medical IT field you'll find all kinds of vendors that hold contracts for medical devices that ride your network.

Move away from just being the guy that maintains the machine and start looking at your IT infrastructure as a cost to deliver the service required to drive your business.