SporkBomb

I’m sure that by now everyone and their grandmother has heard that an ex-NSA employee by the name of Charlie Miller has managed to r00t a MacBook Air after directing the machine to a website with malicious code¹.

OS X security implications aside, my first reaction was not anger or shame-it was puzzlement. I went on searching for a source which would give me more details about the actual hack. I knew that Charlie Miller signed an NDA, promising not to talk about the exploit; but what I needed to know weren’t necessarily the technical details of the exploit. I simply wanted to know what he did from an onlooker’s point of view. There was reportedly an audience of 20 people, cheering Charlie Miller on².

What did Charlie do exactly? Did he just click on a link? Did he click on a link and press to confirm the installation of [something]? Was the MacBook Air logged in and running as an administrator? Does the exploit work on a non-administrative user account, assuming that the user only surfs to the exploiting webpage without clicking anything to confirm the execution of any additional code?

I can only assume that the MacBook Air was indeed logged in as the default administrative account, where the user does have most administrative privileges, however; only after confirming his or her administrative actions via a warning dialog box, a la Vista UAC and Ubuntu.

Three operating systems were put to the test, OS X failed first. What would you expect the result of this to be? Would people attempt to figure out what really happened and then quickly distribute information about protecting from the flaw in Safari 3.1? OF COURSE NOT! This OS X hack gives the Apple/Apple user haters an excuse to unleash a torrent of abuse, ridicule, and pompous bragging about their own respective platforms. In return, the Apple “zealots” unleashed their own set of abuses, ranging from profanities, to making fun of the form factor of some unfortunate Dell laptop, and of course, bragging about the Apple experience. Go to Technorati right now and search for “CanSecWest Mac” and you’ll see exactly what I’m writing about.

Folks, is this really the best thing to be doing? I know that certain mac “zealots” tend to be very offensive to many people. I know that Steve Jobs is a bit annoying to some. I know that to some the sight alone of an Apple store causes uncontrollable convulsions and sickness. Does that mean that we should all turn into the Apple “zealots’” counter-parts and use their own tactics on them? I hope not.

Now off to find out what I can do right not in order to protect myself…

Note: I’m a very happy Mac user-a recent convert from Windows/Linux.

UPDATE: According to John Gruber of Daring Fireball, “contest-winning exploit took advantage of an overflow bug in the PCRE regex library used by WebKit’s JavaScript engine.” Gruber also stated that this issue has been fixed by WebKit developers. My advice to you is to stop using Safari for the time being and to start using the latest build of WebKit. You can also use Firefox or Camino if you’d like. And most importantly, don’t run as an administrator on your Macs, Windows machines, or Linux machines.

–
^{1, 2. http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html}

First of all, malware (i.e. viruses, worms, Trojan horses, spyware, and adware) cannot be completely thwarted by any anti-malware program. Think about it this way: you’re a single American guard in charge of protecting the whole Mexican/American border from illegal immigrants. Now, regardless of how you feel about the issue of illegal immigration, you will not be able to prevent it. The immigrants have to find a single place to cross while you have to guard everything. In the same way, the computer attackers have to find one hole in your computer, while you have to plug all the possible holes (even the ones you don’t know about). It’s not possible.

The most important thing to keep in mind when trying to avoid malware on the Internet is behavior. Most malware nowadays depends on you doing something (i.e. visiting a site, opening an e-mail attachment, etc.). If you never do the wrong things, you will greatly minimize the chances of being compromised.

The second most important thing when trying to avoid malware is your computing platform. If you’re using Windows, don’t be surprised when the bad guys start time sharing your computer behind your back. (I am aware that you can keep a perfectly safe Windows box, but can your grandmother?) If you want to truly be safe, you need to ensure that your platform is secure. If you need to be using windows, you can use software like VMware in order to browse the internet and read e-mails. And after you’re done, you just reload your VMware image and it is like nothing has happened. It is the operating systems equivalent of an etch-a-sketch. Another thing you may consider doing is moving to a Mac or installing a Linux distribution. Historically there have been thousands upon thousands of different pieces of malware for windows and only hundreds of these things for both the Mac and all Linuxes combined. You don’t need to be a statistician in order to see which one has a lesser chance of being infected.

The third most important thing is keeping you anti-virus up to date and having a so called internet router in front of your computer, so to speak. Never, never connect your DSL modem (unless it’s also an internet router) or your cable modem directly to your computer. Doing this effectively ensures that you’ll have malware company; sometimes within minutes. There are old worms like blaster which are continually scanning the internet for new victims. Most computers when first deployed directly behind DSL or cable modems are vulnerable to recently (or not so recently) patched worms like the Blaster worm.

If you have to use Windows, make sure that you are using a good browser. It is usually your first level of defense against the bad guys. Never use Internet Explorer 6. It is just bad. Not to mention that it is hardly even supported by Microsoft anymore. If security is key for you, you will forgo Internet Explorer 7 and even Firefox and use Opera. Give Windows Vista a chance. For all its shortfalls, it’s still a fairly good platform as far as security goes.

Finally, spyware removal should not even be an option. Imagine that you live in a castle (i.e. your computer), like the ones in medieval England. One day you leave your castle to go shopping and 1,000 thieves (i.e. spyware) break in. You come back and you realize that there are intruders in your castle. You promptly call the police (i.e. anti-spyware, or spyware removal programs) who go through the castle and throw out the thieves. My question to you is: do you not feel safe to sleep at night in your castle? Are you 100% sure that all of the 1,000 thieves have been thrown out?

Once you are (or you think you are) compromised, format, learn from what you did wrong, and move on.

Most people I know who use Gmail sign in by simply going to gmail.com. Hell, up to a few weeks ago I used to do the same thing. When you sign in like that your authentication is perfectly secure because you’re using Google’s SSL certificate. However, once you’re signed in, you’re on your own! There is nothing stopping random people from sniffing your traffic and getting your banking information and social security number. There is also nothing preventing Paul Asadoorian from changing your default language.

Here’s a little trick to keep your connection to the Google mail servers secure. When signing in use the following link: https://mail.google.com. This way you will stay encrypted even after you authenticate. Also, if you use a nifty little Firefox extension by the name of Curtomize Google you can also set the option there to always make sure your traffic to google mail (and other google services) is always encrypted.