[Coco] OS Vulnerabilities (Was: Paypal )
John E. Malmberg
wb8tyw at qsl.net
Fri Feb 27 08:11:02 EST 2004
James Ross wrote:
>
> But I do worry about a Trojan Horse that can capture keystrokes and
> send my password to someone. IMO, that is the major risk. With any OS
> available today, any program you install has the possibility of having
> such a Trojan. And that is the problem. All OS's are inherently
> insecure because most programs / drivers can do what they want
> unchecked.
That is not true with any O.S. available today.
Some OSes like OpenVMS/UNIX/LINUX require that the program be run by a
privileged user to cause that type of problem.
Normal users do not have the ability to install device drivers on secure
operating systems. It requres logging in as a privileged account.
You can secure a multi-user variant of Windows NT / 2000 and it's
successors to prevent a non-privileged user from installing programs, or
having a program cause damage to the system, but there is no canned
procedure to set the file protections securely, and I have not seen any
documentation from Microsoft on how to do this. But it is possible in
the security model to do it right. If someone has found an official
link from Microsoft on how to do this, please let me know.
Some LINUX/UNIX systems prohibit the root account from running programs
that have not been registered with the operating system as trusted.
Linux is available free. Several UNIX variants are available free or at
reduced cost for home non-commercial use. OpenVMS is available free for
home hobby use, and there is a SIMH VAX emulator that will run it on an
X86 platform. Alpha's capable of running OpenVMS are availble on the
new and used market.
There have been two cross platform exploits documented.
1. Cookie exploit. The remote site that was giving a credit card or
password recorded it in a cookie on the victim's system, and gave the
cookie an obvious name. When the user visited a bad web site, the web
site looked up the cookie and got the information.
Note that this required an error on one web site operator, and also
required the user to visit a "BAD" web site.
Many of these type exploits seem to be from enticing people to visit a
porn site. But if your e-mail client will open external pictures
automatically, or will run scripts, then you can be victimized by a spammer.
Since apparently it takes a while for web programmers to learn from
other's mistakes, it may be worthwhile to inspect what cookies that your
browser has. Limiting cookies to per-session will lower this risk.
2. Script exploit. I just saw this one recently. Apparently the person
visited a site that started a script running, and this script
intercepted their keyboard and mouse clicks to the browser, and then
tracked all the sites that the person subsequently visited.
Again, to be victimized, you must first visit the bad site, and you need
to have scripting enabled.
-John
wb8tyw at qsl.network
Personal Opinion Only
More information about the Coco
mailing list