Related articles

• Alan: When the NX bit was first introduced, it was supposed to dramatically reduce the amount of malware. Suppose the Alan Dang Web browser had a bug in the code that parses the URL. If I had a Web address that was too long, it’ll end up copying that data into the memory that’s beyond the space allocated for data. The machine will execute that code and now it’s compromised. My understanding is that the NX bit prevents that from happening. But it seems as if the developers of malware simply transitioned to other methods of exploiting a system. Nowadays, the buzzwords are 64-bit ASLR, code signing for kernel extensions, or sandboxing? How much of this will help? Charlie: The NX bit is very powerful.When used properly, it ensures that user-supplied code cannot be executed in the process during exploitation. Researchers (and hackers) have struggled with ways around this protection. ASLR is also very tough to defeat. This is the way the process randomizes the location of code in a process. Between these two hurdles, no one knows how to execute arbitrary code in Firefox or IE 8 in Vista right now. For the record, Leopard has neither of these features, at least implemented effectively. In the exploit I won Pwn2Own with, I knew right where my shellcode was located and I knew it would execute on the heap for me. Alan: And just so that our readers know, ASLR is implemented in Windows Vista (but not XP) and Vista SP1 is required for the full ASLR. Leopard had some binaries placed randomly, but Snow Leopard is rumored to introduce full ASLR. On Linux, kernel 2.6.12 has a weak form of ASLR like Leopard does, but PaX and ExecShield will implement Windows Vista-like ASLR. I know you can't talk about this year's Mac exploit, but let's talk about last year's Safari flaw. To win, you were able to remotely execute code on the MacBook Air. I would imagine that a malicious hacker would have then directly installed malware without triggering the confirmation for root access, etc? Charlie: In neither case did I get root/admin access. That would have required additional vulnerabilities. However, just running as the user is still very bad. I could have still watched keystrokes as you went to an online bank, read your calendar and address book, sent emails, etc. In real life, one or all of these things would have occurred.  Alan: In hindsight, was there anything that could have been done on the user end? That is, if you had outgoing firewalls, anti-spyware/anti-malware software, weren't logged in as a root user, would that have done anything to limit the extent of the breach? Charlie: None of those protections would have probably worked, or at least there were potential workarounds. The best thing the user could have done is not click on the malicious link. Of course, in some cases such as a man-in-the-middle attack, even this wouldn't have helped. 

• Today’s Apple PCs work well with Windows PCs. Samba networking is built-in, allowing you to share files with Windows PCs. The aftermarket combo of MacFUSE and NTFS-3G also brings read and write access to NTFS drives (although there is no way to chkdsk an NTFS formatted drive in OS X). One of the strengths of Linux and Windows over OS X is the wide variety of software that’s available. What makes the Apple sandbox so viable is that the internal set of software is robust enough to stand on its own. A lot has been said about the iLife suite, but one great example of Apple software is Time Machine. Time Machine brings EMC/Dantz Retrospect-like functionality for single-user PCs. All you have to do is specify where you want your backups stored. With the current version of OS X, you can specify an external HFS+ formatted drive or an AFS shared store. If you’re using an AFS shared store, Time Machine will store the file in a single file (“sparsebundle”). If you’re using a local external drive, Time Machine will store the files individually. For the initial backup, Time Machine makes a complete duplicate of your computer ignoring caches and temporary files. After the initial backup, Time Machine makes incremental backups updating only the changed files. Time Machine saves the hourly backups for a 24 hour period, daily backups for the past month, and weekly backups for everything older than a month. This allows you to recover from a complete failure of your hard drive with, at worst, a one hour backup. More important, this protects users from user error. If I accidentally hit save instead of save as… and overwrite an important original file, it will be possible to skip back and restore a file from a specific point in time. What’s nice about Time Machine is that it works well and encourages regular users to regularly backup their data. The integration into the operating system is seamless and it feels like a built-in-feature as opposed to “bundled 3rd party software.” In the current version of OS X, no compression is used. Snow Leopard (OS X 10.6) will be adding HFS+ compression capabilities that will increase the number of files that can be stored. NTFS has had compression for ages.

• Alan: That’s a great point. I recently submitted a request to Apple to allow selective file sharing policy on my notebook. Its fine to have file sharing enabled when I’m at home, but when I’m at a coffee shop or other public access point, I hate having to manually disable file sharing. Dino: I really like Apple’s Network Locations feature for network configuration and I would also like it if I could associate my network security settings with it also. Windows Vista actually has a good system for this by letting the user identify networks they connect to as “Public,” “Private,” or “Work.” Alan: Earlier this year, Steve Balmer talked about Microsoft's investigation of Webkit and ultimate decision to stick with Trident. Web developers would love to have more consistent rendering engines, but from a security standpoint, does it make sense to standardize around one set of code? That is, last year's MacOS exploit and the iPhone exploit were both breaches in the same underlying Javascript code. Since IE8, Firefox, Chrome, and Safari use different Javascript engines, a single exploit wouldn't be able to target all of them. Or, do you think standardization is better because you can collectively pool your resources to develop more secure code? Dino: While standardization helps create a more secure single standard, it means that any breach of it will be highly applicable to Internet systems. I believe that more diversity in computer systems helps strengthen the ecosystem against attack. Having many diverse targets decreases the profitability of malware and once it ceases being profitable, there will be much less of it. Alan: If you had to make a recommendation: Mac, PC, or Linux?  Or do you find them to be equally (in)secure? Dino: For most consumers and home users, I recommend a Mac because they are currently targeted less by Web malware. They also tend to be easier to use so I get less tech support calls. If a user is slightly more technical and/or adventurous, I recommend that they give Ubuntu Linux a try. I recommend Windows Vista for businesses because it is a more secure operating system and better suited towards management in the enterprise. Alan: Any reason for Ubuntu specifically (full disclosure: I run Fedora on my Linux workstations)? Dino: I have found Ubuntu to be more user-friendly and I personally prefer Debian-based Linux distributions to the others. But I don’t want to start any religious wars here. Alan: For our Windows-based PC users, what are some tips for running a "secure" PC? What about our Mac users? Linux users? Dino: PC users should move to Vista or Windows 7 as soon as possible to make use of their security features. Mac users should do the same with Snow Leopard. Linux users are already pretty well served by the leading desktop distributions, so they shouldn't need to take many additional precautions. For all of these operating systems, the National Security Agency (NSA) Systems and Network Attack Center (SNAC) freely publishes in-depth secure configuration guides that can be followed to further harden your operating system environment. (Ed.: the NSA’s guidelines can be found here)