Emmanuel Computer Consulting, L.L.C.

CHR.DarkFiles.US » Blog Archive » Apple Arrogant or Secure.

Their arrogance is partially justified due to superior design.  The Unix system they use is multi-user by design…unlike windows which is not truly multi user.  90% of everything a user is going to do in  Unix system is done inside userspace..so unless the user intentionally runs as root(which mac does not make easy) then the virus can really only damage your user space.  Criminals will go after the easiest target..right now even with vista’s design improvements it’s still based on 20 year old NT code which has some serious deficiencies that make it a very easy traget.  The biggest and the one that continues to get leveraged is IE via ActiveX.    The fact it has the largest installed base doesn’t hurt either.  The author mentions the worm found for Macs. It doesn’t compromise the entire system and is relatively harmless.  The fearmongering of sophos is quite evident in their posting about this worm.  It’s a low grade threat that does contact harvesting.  No big deal.  Let me give you an example.  Do you know what the largest installed base across Linux and windows is for web servers….Apache.  It’s open source, modular and designed with security in mind.  Getting apache to compromise apache..that happens yes it does..but it’s typically limited to apache’s userspace because apache doesn’t run as root.  IIS runs as SYSTEM in many cases which is a lower level of access than administrator.  For apache..you compromise apache it’s mostly only apache that’s hosed..you compromise IIS you have a direct conduit to the kernel via system most times..same for IE.  Apple and the Unix guys have a good reason for their smugness.  They don’t rely on patched up 20 year old code that tries to masquerade as a secure multi-user operating system..they actually do run one that’s designed that way from the beginning.

SSL broken! Hackers create rogue CA certificate using MD5 collisions | Zero Day | ZDNet.com.

The sky if falling!!!!! The sky if falling!!!!! There is a ton of heavy breathing going around about this issue and it’s not necessary at all.

This is a non-issue for the majority of folks and the “solution” is only a stopgap. SSL itself..WAS NOT CRACKED only the digital signature algorithm. The proposed solution is to move to SHA-1 which has been broken since 2005 is only a stopgap at best. This is a configuration issue. ALL browsers inherently trust groups of entities as trusted so their certificates are automatically trusted. If this is removed and folks are forced to inspect the certificates this would mitigate this attack..except most folks won’t check the certs..Most of the users are lazy and therefore this convenience is added. This convenience is the reason this attack can succeed. Moving to an already broken hashing method to fix another broken hashing method to fix what is inherently a configuration problem based on laziness isn’t the fix.

This is one thing that is probably going to make national news..panic a ton of folks..and the techie community is going to stampede to SHA-1 which has been broken since 2005. I personally do not know of another hashing algorithm that’s unbroken as of yet.  SHA-1 still takes quite a bit of computational power to use it’s attack vector but it’s well within modern COTS beowulf clusters now in operation.  Since the XBOX360 has 3 cores and the PS3 has effectively 8 the amount of hardware needed to compromised SHA-1 is much less than 2005 due to increased computational power.  It won’t be long before we hear of a similar type of attack on SHA-1 either.

What does this mean to the average person?  Not much.  How can this be mitigated?  Have the browser manufacturers remove their trusted CA pools and at least make the clients have to click thought the certs.  Inspecting them is not hard really..you just have to read.  If the user doesn’t take the time to read and inspect the cert then it’s nobody else’s fault if they get nailed.