RE: Re: Administrivia: Testing Emergency Virus Filter..

["Gary E. Miller" <gem () rellim com>]

Yo Paul!

On Wed, 20 Aug 2003, Paul Schmehl wrote:

> Now change the word "virus" to "trojan" or "rootkit", and your defense of
> *nix falls apart.

Notice I never used the words UNIX.  NT can be run in a trusted manner,
just not with an ethernet card according to the US Gov standards.
Several OS other than Unix have achieved trusted system status from the
gov.  Only a very few Unix have.  When the No Such Agency speaks, you
should listen.  They have a pretty good track record, both on offense and
defense.

Any system can fail, some just fail less often and/or less
catastrophically than others.  A trusted system has more tools for
defense in depth.  If a trusted system is configured and used properly
then a trojan or rootkit is more likely to only seize a user account not
the entire system.  That is why a web server or mail server should only
be run under untrusted user accounts.  It limits damage.  This is a lesson
all OS vendors are slowly learning.  Some more slowly than others.

> OSes aren't secure unless *people* properly configure them.

Yes, but some come better prepared out of the box.  More so as
experience has been gained.  Only in the last few years have unix
systems come with services off by default instead of on by default.  A
recent lesson learned.  Only a few re-distros of WinXX do this.  More
will soon.  Not to say that any OS can not be crippled by a poor admin.

> *Any* OS can be hacked if it's not properly maintained.

True, and some are a lot easier to maintain than others.  Some are more
forgiving than others of carelessness.  All of them need to improve.

Windows CAn be made to work, look at OS/2, it just has not happened yet.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
        gem () rellim com  Tel:+1(541)382-8588 Fax: +1(541)382-8676


> --On Wednesday, August 20, 2003 17:37:48 -0700 "Gary E. Miller"
> <gem () rellim com> wrote:
> > The difference is this between and secure OS and an insecure one.
> >
> > On an Insecure OS, the virus gets in. glues itself on anywhere in the
> > machine.  Maybe it attaches to a boot sector, maybe appends itself to
> > a system file, edits registry, maybe all the above and a lot more,
> > whatever.  User logs out, the virus still runs as admin or root.
> >
> > Some virii even have hooks to turn off personal firewalls in an insecure
> > OS.
> >
> > On a Secure OS, the virus can only write to the (normal) users home
> > directory.  Easy to find.  Easy to delete.  Virus can not write to
> > registry, boot sector, system directories, etc.  Then when the user logs
> > out his processes are terminated or he is warned of something still
> > running.  So virus does not continue after log out.
> >
> > On a secure OS, the (normal) user can not edit the personal firewall
> > setting so the cirus can not bypas that easily.
> >
> > Very secure OS can add even more restrictions on what a user can do.  Like
> > prevent the user from running daemons, bots, etc...
> >
> > The makes a huge difference in how easy it is to be infected, how easy
> > it is to detect infection and how easy to disinfect.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html