[Coco] OS Vulnerabilities (Was: Paypal )

John E. Malmberg wb8tyw at qsl.net
Fri Feb 27 08:11:02 EST 2004 

James Ross wrote:
> 
> But I do worry about a Trojan Horse that can capture keystrokes and
> send my password to someone.  IMO, that is the major risk. With any OS
> available today, any program you install has the possibility of having
> such a Trojan.  And that is the problem.  All OS's are inherently
> insecure because most programs / drivers can do what they want
> unchecked. 

That is not true with any O.S. available today.

Some OSes like OpenVMS/UNIX/LINUX require that the program be run by a 
privileged user to cause that type of problem.

Normal users do not have the ability to install device drivers on secure 
operating systems.  It requres logging in as a privileged account.

You can secure a multi-user variant of Windows NT / 2000 and it's 
successors to prevent a non-privileged user from installing programs, or 
having a program cause damage to the system, but there is no canned 
procedure to set the file protections securely, and I have not seen any 
documentation from Microsoft on how to do this.  But it is possible in 
the security model to do it right.  If someone has found an official 
link from Microsoft on how to do this, please let me know.


Some LINUX/UNIX systems prohibit the root account from running programs 
that have not been registered with the operating system as trusted.


Linux is available free.  Several UNIX variants are available free or at 
reduced cost for home non-commercial use.  OpenVMS is available free for 
home hobby use, and there is a SIMH VAX emulator that will run it on an 
X86 platform.  Alpha's capable of running OpenVMS are availble on the 
new and used market.


There have been two cross platform exploits documented.

1. Cookie exploit.  The remote site that was giving a credit card or 
password recorded it in a cookie on the victim's system, and gave the 
cookie an obvious name.  When the user visited a bad web site, the web 
site looked up the cookie and got the information.

Note that this required an error on one web site operator, and also 
required the user to visit a "BAD" web site.

Many of these type exploits seem to be from enticing people to visit a 
porn site.  But if your e-mail client will open external pictures 
automatically, or will run scripts, then you can be victimized by a spammer.

Since apparently it takes a while for web programmers to learn from 
other's mistakes, it may be worthwhile to inspect what cookies that your 
browser has.  Limiting cookies to per-session will lower this risk.


2. Script exploit.  I just saw this one recently.  Apparently the person
visited a site that started a script running, and this script 
intercepted their keyboard and mouse clicks to the browser, and then 
tracked all the sites that the person subsequently visited.

Again, to be victimized, you must first visit the bad site, and you need 
to have scripting enabled.

-John
wb8tyw at qsl.network
Personal Opinion Only

More information about the Coco mailing list