Stat on OS X Virus Growth Misleading
Plus RFID hacking, protecting decommissioned servers and more
recently released a whitepaper which states that
vulnerabilities have increased by 228 percent in the
past three years; Microsoft Windows
, on the other hand, has
seen only a 73 percent increase in the same period of time.
That statistic ignores a number of facts. One is that
vulnerabilities vary in their seriousness. Another is that
three years ago OS X was a new operating system (having
launched in 2001) that was not yet widely deployed. Another
is that vulnerabilities do not equate to attacks (as some
media coverage would lead readers to believe). And the most
significant fact is that more OS X systems have lost data
due to use of antivirus software than have lost data due
Ohio University recently announced that its alumni
database server was compromised and information on more than
300,000 people may have been stolen. The media reports
referred to the server as a "Ghost Server," which immediately
drew our attention thinking it was a server running
Symantec's Ghost product. Turns out the term was being used
to describe a server which the University thought had been
Obviously this should be a good reminder regarding just how
you define a server as being decommissioned. One
good way to keep track of such systems is to use DHCP
reservations based on the system's MAC address. Servers
shouldn't receive dynamic IP addresses as a general
practice, but DHCP reservations allow you to assign a
specific IP address. So as part of your final steps in
taking down a server you alter the IP address being offered
to that MAC address; assign it a loopback IP address like
127.0.0.10 or some other non-routable address, remove its
default gateway IP address or make that address point to an
IDS system. By doing this you ensure the machine can't be
used for other purposes -- it has to be properly
"commissioned" to come back online in some new role. It will
also show up in a variety or reports, reminding admins it's
still online but non-functional.
Malicious Cryptography, Part 1: This article
might happen when cryptography and malware technologies are
The article proposes a threat involving a malware author using
crypto to encrypt a victim's data, after which the criminal
demands a ransom to unlock the victim's data.
Such a threat has existed; however, it was seen by
very few people, primarily in anti-virus circles. Further,
the model introduces enormous risks for the criminal as a
money trail is left, which can be extremely difficult to
completely cover. Certainly transactions can fly through the
Internet with the greatest of ease, but ultimately someone
is going to pick up the cash at the end.
The malicious use of crypto is most likely going to be limited
to encrypting the command and control mechanisms, and not to
attempt to extort the victims for the return of their data.
A U.K. judge has agreed that Gary McKinnon can be extradited
to the U.S. to face charges that his breach of various U.S.
government and military systems caused damage and significant
Some media controversy exists over whether McKinnon is being
treated more harshly in order to set an example. During a BBC
radio interview, I stated that all such individuals should be
seen as criminals and should receive sentencing accordingly.
There seem to be some who think that breaking into a computer
is not a criminal offense, contrary to law in most civilized
nations. If the U.S. government feels that now is a good time
to make examples of cyber-criminals, then possibly the best
advice is to not be one!
An interesting story appeared in Wired recently regarding the
RFID-Hacking Underground. It described an attack where one
individual walked past another and, in the process, stole the
code from a RFID-enabled smartcard the victim used to enter
a secure building.
It's no real surprise that the codes can be stolen. It stands
to reason that anything that gets broadcast can be picked up
by something that can receive. However, RFID has such a small
range that the proximity needed to make such a theft is
roughly equal to that in which a decent pick-pocket could be
as effective. The difference with RFID is that the victim need
not know that they've had their card stolen, unlike the
physical attack. The thief in the case above used the code to
enter the same building the victim had just entered.
Perhaps more telling than the RFID story is the fact that the
building security system was oblivious to the fact that the
code had already been used to enter the building. In other
words, it could have denied the second use of the code to
enter the building entirely on the fact that the holder must
have already been inside. Sensors throughout the building
could have easily detected that two RFID transmitters were
present and advertising the same value, and so on. The same
is true, of course, of smart cards without RFIDs.
The bottom line is that this isn't demonstrating a weakness
in RFID technology, but merely in how poorly RFIDs are being
implemented today. An RFID, for example, need not transmit
its code to just any old device, the card that contains it
could be smart enough to determine whether the device is
valid, or a simple switch could allow the holder to determine
when to permit transmission.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.