metrodust
Hey Thats Mine
join:1999-12-10
Seattle, WA
1 edit | reply to B
Re: Anatomy of a Drive-by-Install
said by B  :The Porter/Hertens article seems to omit a rather important little detail -- what does the user have to do, if anything, in order to allow the spyware to install? They show what the users SEE under each browser, but don't seem to discuss what the user would do or click next, or what he or she could do at that point to avoid the infections...? -- B the simple answer to aviod infection would be to not click OK on the box that has the big yellow signs and the words INVALID and NOT TRUSTED all over it.
--
When you are leaving.. heaven is a distance not a place. --Carissas Weird |
|
eburger68
Premium,MVM
join:2001-04-28
1 edit | metrodust:
said by metrodust :the simple answer to aviod infection would be to not click OK on the box that has the big yellow signs and the words INVALID and NOT TRUSTED all over it. It's purely a convenient coincidence that Integrated Search Technologies happens to be using an expired certificate from a CA not yet "trusted" by users (most of whom won't understand what it would take to "trust" a CA/issuer in the first place).
The fact that the user has not elected to trust the CA has NOTHING to do with the trustworthiness of the Java applet itself. IST could have just as easily used a cert from Thawte/Verisign, which would be trusted by default through the user's browser.
In fact, we see this all the time with ActiveX controls installed by spyware/adware through Internet Explorer, almost all of which are signed with certs issued by Thawte/Verisign. The fact that the ActiveX control has been signed with a cert issued by a trusted CA says absolutely *nothing* about the trustworthiness of the ActiveX control itself, because Thawte/Verisign will issues certs to just about anyone under any name. See Ben Edelman's recent discussion of this problem for more information:
»www.benedelman.org/news/020305-1.html
And what if IST were to get a new signing cert from Thawte/Verisign? Would you then advise users that the app was "trustworthy"?
Of course not, because the real problem lies elsewhere. The real problem with Java applet Warning box is that it provides no useful information whatsoever to the user. None. Most users aren't going to be familiar with "Integrated Search Technologies," which sounds like an innocuous enough company. Still worse, there's not even a link, such as the much maligned ActiveX Security Warning box provides, for the user to get more information or read the EULA associated with the program.
And given that users will encounter these Java applet Warning boxes (or similar looking ones) frequently in the surfing around the Net, it's a serious problem that they don't have any useful method for distinguishing between trustworthy and non-trustworthy Java applets. The same holds true for ActiveX controls, though at least users can get to a EULA of some sort and Microsoft has implemented some changes in XP SP2 to take those Security Warning boxes out of users' faces.
It is a myth that the spyware/adware problem has been driven primarily by installations through security exploits. Always has been. In fact, those kinds of exploit-based installations really only took off in the last year or so. Since the beginning in 2000, the spyware/adware problem has largely been the depressing story of users getting bamboozled by adware vendors into "consenting" to the installation of unwanted software through a combination of trickery, poor information, and still poorer installation processes.
Eric L. Howes |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
2 edits | said by eburger68 :It is a myth that the spyware/adware problem has been driven primarily by installations through security exploits .... depressing story of users getting bamboozled by adware vendors into "consenting" to the installation of unwanted software through a combination of trickery, poor information, and still poorer installation processes. I posted this in an earlier thread, about ActiveX and IST: »Re: 180Solutions Buying Legitimacy? .. Don't know if you've seen it yet. I believe it supports your claim that it is a myth.
That is the Internet Explorer equivalent of the Java/Mozilla exploit. What I posted is found on exactly the same pages where there Java/Mozilla exploit are, only when viewed in IE.
Also, I should mention the click_run_to_remove_virus.exe was unable to execute under a limited account.
--
Asus A7N8X-X, Athlon XP 2400+ @ 2.0GHz, 1024MB DDR RAM (@ PC2100), GeForce FX 5600Ultra 128MB, Samsung SD-616T 16x DVD-ROM and Sony CRX215E1 48x24x48 CD-RW, 40GB & 120GB HDD.
Y I Hate L-i-n-u-x |
|
metrodust
Hey Thats Mine
join:1999-12-10
Seattle, WA | reply to eburger68
the bottom line is still lack of education on the end-users part. |
|
johnpro
join:2005-03-11
Brisbane Oz
2 edits | reply to eburger68
It's purely a convenient coincidence that Integrated Search Technologies happens to be using an expired certificate from a CA not yet "trusted" by users (most of whom won't understand what it would take to "trust" a CA/issuer in the first place).
*************
I have never trusted "trust us certification" for a number of reasons.
Trust is built up over time. Anyone can claim they are trustworthy.
Look at Truste certification for example. This company certifies that giants such as microsoft and intel are trutworthy. I happen to agree with them.
However they also certify that dubiates such as idownload and lycos are also trustworthy.
As one scribe recently wrote ...can truste be trusted!
My emails to truste were just ignored when I asked them to clarify their position of certification on many of the bad guys in the industry.
Verisign et al also have difficulties. Most players do not know the significance of these certificates anyway.
jp |
|
