Security Watch

Stat on OS X Virus Growth Misleading

Plus RFID hacking, protecting decommissioned servers and more

• By Russ Cooper
• 06/05/2006

That statistic ignores a number of facts. One is that vulnerabilities vary in their seriousness. Another is that three years ago OS X was a new operating system (having launched in 2001) that was not yet widely deployed. Another is that vulnerabilities do not equate to attacks (as some media coverage would lead readers to believe). And the most significant fact is that more OS X systems have lost data due to use of antivirus software than have lost data due to viruses.

Ohio University recently announced that its alumni database server was compromised and information on more than 300,000 people may have been stolen. The media reports referred to the server as a "Ghost Server," which immediately drew our attention thinking it was a server running Symantec's Ghost product. Turns out the term was being used to describe a server which the University thought had been decommissioned.

Obviously this should be a good reminder regarding just how you define a server as being decommissioned. One good way to keep track of such systems is to use DHCP reservations based on the system's MAC address. Servers shouldn't receive dynamic IP addresses as a general practice, but DHCP reservations allow you to assign a specific IP address. So as part of your final steps in taking down a server you alter the IP address being offered to that MAC address; assign it a loopback IP address like 127.0.0.10 or some other non-routable address, remove its default gateway IP address or make that address point to an IDS system. By doing this you ensure the machine can't be used for other purposes -- it has to be properly "commissioned" to come back online in some new role. It will also show up in a variety or reports, reminding admins it's still online but non-functional.

Malicious Code
Malicious Cryptography, Part 1: This article proposes what might happen when cryptography and malware technologies are combined.

The article proposes a threat involving a malware author using crypto to encrypt a victim's data, after which the criminal demands a ransom to unlock the victim's data.

Such a threat has existed; however, it was seen by very few people, primarily in anti-virus circles. Further, the model introduces enormous risks for the criminal as a money trail is left, which can be extremely difficult to completely cover. Certainly transactions can fly through the Internet with the greatest of ease, but ultimately someone is going to pick up the cash at the end.

The malicious use of crypto is most likely going to be limited to encrypting the command and control mechanisms, and not to attempt to extort the victims for the return of their data.

Human Factors
A U.K. judge has agreed that Gary McKinnon can be extradited to the U.S. to face charges that his breach of various U.S. government and military systems caused damage and significant disruption.

Some media controversy exists over whether McKinnon is being treated more harshly in order to set an example. During a BBC radio interview, I stated that all such individuals should be seen as criminals and should receive sentencing accordingly. There seem to be some who think that breaking into a computer is not a criminal offense, contrary to law in most civilized nations. If the U.S. government feels that now is a good time to make examples of cyber-criminals, then possibly the best advice is to not be one!

Physical Security
An interesting story appeared in Wired recently regarding the RFID-Hacking Underground. It described an attack where one individual walked past another and, in the process, stole the code from a RFID-enabled smartcard the victim used to enter a secure building.

It's no real surprise that the codes can be stolen. It stands to reason that anything that gets broadcast can be picked up by something that can receive. However, RFID has such a small range that the proximity needed to make such a theft is roughly equal to that in which a decent pick-pocket could be as effective. The difference with RFID is that the victim need not know that they've had their card stolen, unlike the physical attack. The thief in the case above used the code to enter the same building the victim had just entered.

Perhaps more telling than the RFID story is the fact that the building security system was oblivious to the fact that the code had already been used to enter the building. In other words, it could have denied the second use of the code to enter the building entirely on the fact that the holder must have already been inside. Sensors throughout the building could have easily detected that two RFID transmitters were present and advertising the same value, and so on. The same is true, of course, of smart cards without RFIDs.

The bottom line is that this isn't demonstrating a weakness in RFID technology, but merely in how poorly RFIDs are being implemented today. An RFID, for example, need not transmit its code to just any old device, the card that contains it could be smart enough to determine whether the device is valid, or a simple switch could allow the holder to determine when to permit transmission.