Thursday, March 10, 2011

No, your operating isn't perfect either

When I was in college, I gave up on Microsoft's operating systems (I got tired of Windows freezing on me) and ran a distribution of Linux called Debian for a few years. For my needs, it worked well, probably even better than a Windows system did. I did a lot of programming, and the Linux operating system was very similar to the Unix (Solaris) operating system that our assignments ran on.

When I teach introductory classes, I have students who have Macintosh computers at home or people running Linux. When we come to computer security, I will generally mention the idea of antiviruses. I generally will have some student say "I don't need one because I am not running Windows". Sometimes, I even get "you can't get a virus on a Mac (or Linux) system".

This is factually incorrect. In security, there are no absolutes. There are viruses, malware, and other programs which end up out there for both operating systems. This doesn't mean the Macintosh and Linux operating systems aren't inherently safer, however.

If I am a hacker, I have to determine my audience (much like a research paper). Who am I hacking? The answer is probably something like "new computer users". Most new computer users are not running Linux, and therefore, if you are writing an exploit, you want to target non-Linux users. Similarly, if you are writing an exploit through the Web, you want to target your biggest audience, and that would be Windows operating system users running the default browser (Internet Explorer). Of course there are other reasons you might target the Windows/IE combination (such as Active-X controls).

The reason this is on my mind...out at the Pwn2Own hacker challenge, some folks from a French penetration testing company hacked a fully patched Mac. They did it using an exploit in the Safari browser.

Link to story

Teams will also compete to create more exploits for a number of different browser/OS/plug-in today and tomorrow.

No comments: