It looks like people are starting to get it …

I’ve been a strong proponent of real security … not security theatre … since I saw what crackers will do to unwitting customers. Most of the exploits I’ve seen over the past several years has been due to a very weak point of entry, coupled with some keylogger technology.
I’ve watched otherwise secure Linux clusters be compromised easily, when a grad student running windows happily typed the root password sshing in. Everything I warned this group about came to pass, in spades. I reported my observations to the relevant cluster group in the interests of preventing similar attacks, and was subsequently banned by the group admins. Not going to reopen that, though I’ll point out that it was likely due to an extra single “s” I placed on the title (out of long standing habit on my part), that they took offense to.
Real security is hard. It requires you think about the attack vectors, your vulnerabilities, etc. Its not paranoia to assume that there are many bad people out to get your information. They are. And they are very smart. And very good.

We see many attacks (i’ve got lots of logs of them) against systems. Brute force, subtle attacks, attempts at social engineering/phishing. Pretty much anything you can throw at a system. Most of the attacks are aimed squarely at windows systems. Part of the reason for this is, it is very hard, pretty close to impossible, to secure these systems. I don’t say this lightly. Most folks don’t want to run with least privilege. They like to be able to install software, apps, etc. And they need root level privileges to do this on windows, if they want to avoid all those nasty dialog boxes.
But thats not the only problem, though I won’t go through the litany of others.
Suffice it to say, that ordinary people are getting that its pretty hard to secure. And now, some of them are recommending using Linux rather than windows for doing online banking..
This can help … their recommendation is to use a live CD. Live CDs are immutable, they cannot be changed. This suggests that the attack vectors for these will be fraudulent live CDs, which include pre-trojaned apps. So users will need to use common sense when getting them.
The live CD’s run Linux, off of CD, and let you bank.
Ok … I agree with the authors view that it is effectively impossible to secure windows, and maybe its time to focus upon something more secure by design, and unable to run windows trojans.
But there are many steps in the process of getting information, and some of these are pure theatre.
I won’t mention my banks’ name, though I will note that, yes they did get TARP money, and no, they haven’t made it any easier for us to get needed capital. But thats another post.
Their online banking login system is pretty much tied to windows. Its damn near impossible to access our accounts on Linux. They make it so by, instead of using software design based upon standards, they prefer software design based upon Microsoft’s suggestions … like IEx.
So, if you are compelled to use windows, how best to do it securely? First off, keep it as far away from the hardware as possible. Run windows, in a window. This lets you run your disks as immutable. Unchangable. You can store, and examine, your deltas somewhere else. This means that you can only be trojaned during that particular instance (unless the underlying VM can be compromised).
Second, keep the software installed on that instance to a bare minimum.
Third, do no email or web surfing from that instance.
Fourth, do not open any external document attachments in that instance. PDFs are attack vectors these days. Office files carry payloads. As do ZIP files. Create an entirely separate virtual machine, with an immutable disk, and a mount of some file share, for opening documents.
Fifth, never, ever, under any circumstances, let windows touch a raw network. Run a firewall on it, and if you are running it as a VM, use IP tables to restrict what it can and can’t see. Only let port 80 and 443 in or out.
All of this is, of course, on the client side. Which isn’t the only attacked side.
One of the more interesting attacks I’ve seen is some sort of DNs cache poisoning, whereby some browsers get incorrect IP addresses for specific records. We saw this with our bank and firefox 2. Didn’t matter the OS, someone somehow managed to poison a cache far upstream, and we got a security cert which didn’t make sense for the site. I called the bank on this, and they shrugged.
You can’t control what comes down from your request. You can look carefully. If the forms don’t do gets/posts to reasonable addresses, if the cert doesn’t make sense for the business, yeah, you might be getting a silent attack.
How many people actually look at the security bits? Yeah, call me paranoid. I’ve seen this attack before, and I can’t imagine how many times it worked …
There you are at your sites web page, logging in, happily giving the bad guys the keys to the kingdom, and then they do a redirect to the correct pages after stealing your info.
Thats not a windows attack. This is why you need multi-factor authentication …
From what I’ve heard, 2-way with a key fob is no longer secure. I can tell you that long passwords aren’t secure, especially when keyloggers are happily grabbing the keystrokes.
Real security comes from realizing that you won’t always win, and you have to limit what happens when you lose. Minimize the maximum damage that can be done. Then make darned sure that your bank doesn’t practice security theatre. Mine does, and it terrifies me.
So while the articles author suggests Linux as a panacea, allow me to inject a note of caution. It is one of multiple steps. It is easier to lock down than windows, harder to corrupt. But it is corruptible. All they need to do is find the weak link and exploit it. We’ve helped clean up after such weak links have been exploited. I can’t say I know where all of them are, but we do have some mechanisms that we make available to our customers that can do a good job at stopping some types of attack cold.
Take home message is, they are out to get you, and your job is to make it very hard for them to do so. Linux is a first step, not the complete solution.

1 thought on “It looks like people are starting to get it …”

  1. See also IEs4Linux:
    Running that from a Linux LiveCD (via virtualization) at least complicates attack vectors. With stack randomization, etc., many common attacks just won’t work.
    You’re still running untrusted code for a trusted service, but if the trusted service demands it…

Comments are closed.