Subscribe to RSS
Follow me on Twitter
Join me on Facebook
David Green normally only accessed his company’s online bank account from his trusty Mac laptop. Then one day this April while he was home sick, Green found himself needing to authorize a transfer of money out of his firm’s account. Trouble was, he’d left his Mac at work. So he decided to log in to the company’s bank account using his wife’s Windows PC.
Unfortunately for Green, that PC was the same computer his kids used to browse the Web, chat, and play games online. It was also the same computer that organized thieves had already compromised with a password-stealing Trojan horse program.
A few days later, the crooks used those same credentials to steal nearly $100,000 from the company’s online accounts, sending the money in sub- $10,000 and sub-$5,000 chunks to 14 individuals across the United States.
Now, Green’s firm — DKG Enterprises, a party supplies firm based in Oklahoma City — is wrangling with its bank over who should pay for the loss, said Joe Dunn, the company’s controller. So far, DKG has managed to recover just $22,000 of the $98,000 stolen in the April 27 incident.
Unlike consumers, businesses that lose money as a result of stolen online banking credentials usually are left holding the bag. As such, I’ve frequently advised small business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows. What’s more, the tools these crooks are using — mainly the Zeus Trojan — almost always outpace anti-virus detection at least by a few days, and by then it’s usually too late.
But the advice about banking on a dedicated, non-Windows machine only works if you follow it all the time. As this incident shows, it does no good for small business owners to use a Live CD or a Mac or some other approach only some of the time.
“He knew better than that,” Dunn said of his boss’s logging into the family Windows machine. “The thing about it is this wouldn’t have been able to happen if the security had been place that is currently in place, which means he can only access the bank’s site from his Mac. We no longer allow access from any other computer other than his.”
Dunn said that not long after the fraudulent transfers were sent out, he heard from one of the money mules that were sent the firm’s money and asked to wire it overseas to the fraudsters.
“This guy, he went to go use his debit card to fill up his car at a gas station and his card was declined,” Dunn said. “He was trying to figure out what had happened, so he researched where the money came from, went online and called the first number he could find and of course he got me. All I could do is refer him to the FBI. I think he’d figured out by that point what had happened.”
Dunn added the company’s bank is disavowing any responsibility for the incident, but that there is a small silver lining.
“Our take is we weren’t provided the utmost security to prevent this from happening,” he said. “It’s sad in this day and age, and we’ll probably have to take it as a hard lesson learned. On the bright side, though, the owner’s wife now has a new Mac.”
Further Reading: Target: Small Businesses
Tags: DKG Enterprises, Joe Dunn, Mac, money mules, windows
What is needed is one time keys like the RSA keys, this would have prevented the issue quite nicely. If the attacker got the password, unless they made a transaction within one minute, they would have been shutdown by the rolling key. As an added layer of security the bank could be monitoring what IPs you are logging in as. See two IPs within a minute? something is up… See two IPs in one minute with a large distance between them? Something is really up! This isn’t a Windows vs. Mac thing. This is just proof you should never use an untrusted machine for any of these services. A mac machine is just as likely to have a keylogger as anything.
Hot debate. What do you think?
45 
42
Thank you, Daniel, for lobbing that conversational hand grenade.
Couple of points about RSA keys and one-time tokens. They used to be quite a hurdle for the bad guys. Now, they’re more akin to speed bumps. Look through the stories at the Target: Small Business category to the right and you’ll see plenty of real life examples of companies getting hit even though the were forced to use RSA keys and token devices.
The other thing to keep in mind is that in many cases, the attackers are using a feature built into Zeus called “backconnect,” which means they log in to the bank’s site using the customers *own machine* and IP address.
Finally, I’d take strong exception to your blanket statement that Macs are just as likely to get a keylogger as anything. ALL of the victims I’ve interviewed (>100) were Windows users. Seeing a pattern here?
Well-loved. Like or Dislike:
66 
26
Brian, have you analyzed how many of the 100+ were the wife’s machine? Perhaps wives are to blame. Looking beyond snark, my point is that without full statistical analysis you’re making assumptions. It could be that Mac users may not report these as IT security issues because they believe their precious iGadgets are impregnable and surely a jilted ex-employee or corrupt bank teller is to blame.
Or Windows is buggy hole-ridden software, all things are possible.
Well-loved. Like or Dislike:
27 
22
See my reply to Alan. So many people take this as a personal affront or a perceived Windows-vs-Mac face-off. Put down your fanboy flags for a moment, folks, and try to put yourselves in the shoes of a small business owner that just saw a year’s worth of earnings walk out the door because of a *single Trojan infection.
Well-loved. Like or Dislike:
38 
16
I’ll note that posters on this blog are probably amongst the more sympathetic to these horror stories you’ll find. But the criminals at the root of these attacks are pragmatists. They are going to notice the growing number of Apple devices, the greater penetration of OSX in the market, and the myth of immunity that is basically self-perpetuating at this point.
It is a critical security point that users must accept that the safety of OSX requires the same diligence as any other OS to maintain security: timely patching, software & browser hardening, and defensive browsing habits. That is advice that is platform independent.
It is ominous that SANS just recently posted about new Mac malware Onionspy:
http://isc.sans.org/diary.html?storyid=8890
Well-loved. Like or Dislike:
40 
11
‘It is ominous that SANS just recently posted about new Mac malware Onionspy’
It’s not ominous at all. It’s not even a hack. It’s pure social engineering. You can own any system if you convince the sysop to give away the keys. It’s a non-story.
Well-loved. Like or Dislike:
12 
4
Oh and it’s not ‘Onionspy’ either. It’s ‘OpinionSpy’. Research is really tricky, innit?
Hot debate. What do you think?
6 
10
“So many people take this as a personal affront or a perceived Windows-vs-Mac face-off. Put down your fanboy flags for a moment, folks, and try to put yourselves in the shoes of a small business owner that just saw a year’s worth of earnings walk out the door because of a *single Trojan infection.”
This might be true, however, Apple fanboys *did* start this, namely that banking guy or whatever.
When someone says “It’s sad in this day and age, and we’ll probably have to take it as a hard lesson learned. On the bright side, though, the owner’s wife now has a new Mac.”, then I can sort of understand why the Windows people raged. I mean seriously?
You can’t be annoyed at “fanboys” when you just implied that Apple shall fix all thine problems.
Well-loved. Like or Dislike:
12 
3
This clearly is an attack on Windows and is Apple fanboy propaganda because the title says “Using Windows for a Day Cost Mac User $100,000″
It could have said something along the lines of “Using an Unknown, Unsecured Computer Cost Business Owner $100,000″ which is more true to the situation presented in the article.
Well-loved. Like or Dislike:
15 
3
“they believe their precious iGadgets are impregnable and surely a jilted ex-employee or corrupt bank teller is to blame.”
well, yes. Very close, but it seems jealous infected Windows users like to use absolute words like “impregnable”.
When you say “iGadgets” I think of iPad, iPhone, iPodTouch, etc. Software and media for those devices is available only through iTunes Store, where everything is checked out for security. Problems still might happen, but VERY less likely.
It certainly is one solution, and one they take a lot of grief for.
We’ll have to wait and see if any Android programs end up being security issues.
Also, for a mac user, $100k might not be a big deal to be noticed ; )
Like or Dislike:
0 
0
Brian, I enjoy your reports but following up to Alan’s comment, what are you going to suggest in 5 years when everyone is a Mac user and the same cyberthugs are cranking out maleware that exclusively targets and exploits Mac’s — switch to Linux or back to Microsoft? These incidents happen because of poor user actions/practices tied to vulnerabilities in web servers and client side mobile code. If you secure even one of the three you greatly reduce the attack surface. The OS just happens to be the current target based on ROI. Why would cyberthugs target a low density OS especially in this day of automated exploits when you can get a much better return on the OS of the day?
Well-loved. Like or Dislike:
30 
9
Hrm. Well, I’ll probably still be suggesting what I have been blaring for the past year: That business owners should bank on a LiveCD
E-Banking on a Locked-down (non-Microsoft) PC
http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html
Avoid Windows Malware: Bank on a Live CD
http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html
Well-loved. Like or Dislike:
36 
9
OSX, Windows, Linux, etc all allow for discretion to the end-user. They are all equally (in)secure.
These systems all have security mechanisms as defined in the Controlled Access Protection Profile (http://www.commoncriteriaportal.org/files/ppfiles/capp.pdf).
The security for these systems is meant to be effective in “cooperative, non-hostile environments”. Clearly, the security of these systems is not meant for use on the internet.
To say one is more secure than the other is misguided.
Well-loved. Like or Dislike:
13 
9
“what are you going to suggest in 5 years when everyone is a Mac user”
1. Most Windows users can still use Windows, just not online.
2. This is not about OS “code quality” per se, but instead about market share. In general, malware is about profit, and encounters machines at random. When is it going to be more profitable to attack Macs or Linux if 91 percent of browsing occurs under Windows? Will the situation change if Windows becomes “only” 80 percent, or even 60 percent, or even less?
3. 5 years gets us 5 years down the road. Maybe Microsoft or Intel will wake up. Maybe we will get real hardware and software fixes. Maybe we will be dead. Problem solved.
“these incidents happen because of poor user actions/practices”
4. In many cases users do enable an attack. But no matter how much you know or who you are, you will still occasionally make human errors. And when a single error can cause a massive failure, it is time to get humans out of loop as much as possible.
“Why would cyberthugs target a low density OS especially in this day of automated exploits when you can get a much better return on the OS of the day?”
5. Exactly! But the real problem is infection, and current Mac designs can be infected like Windows boxes. If we all switch to another infectable OS, we can expect similar results, eventually. But if we switch to booting from DVD, or get a new hardware protection level to prevent infection, that is a different issue. That is not just moving to a new OS, that is solving the problem.
Well-loved. Like or Dislike:
17 
12
Saying that it’s more profitable to attack Windows because “there are more of them out there” is simply ignoring the contrary evidence of web servers.
Apache outnumbers IIS two to one.
*Cracked* IIS outnumbers cracked Apache *four* to one.
Okay, we know that IIS is plagued by the underlying flaws in Windows, but if you’re going to claim that its the majority player that’s most at risk, then why aren’t there more cracked Apache boxes out there (Oh – and to ram the point home even more, what few Apache exploits I’ve heard of recently have all targeted add-ons, not base Apache, so the majority player must be pretty solidly armoured against attack!)
Cheers,
Wol
Well-loved. Like or Dislike:
20 
13
“Saying that it’s more profitable to attack Windows because “there are more of them out there” is simply ignoring the contrary evidence of web servers.”
Actually, the argument is that malware development, distribution and operation are motivated by profit. We confirm that goal from articles on this blog.
Malware attacks generally find computers at random, and then must function in whatever environment is found. Since Microsoft Windows supports about 91 percent of browsing, malware can either be ready for Windows and able to run 91 percent of the time, or ready for the Mac and run 5 percent of the time, or Linux at 1 percent overall (and even less for particular Linux distributions).
All things equal, malware is 91 times more likely to run and produce profit on Windows than on Linux. But even if Windows had just 40 percent of browsing and 3 competitors each with 20 percent, while only 40 percent of Windows malware insertions could run, that would still be better (and probably more profitable) than the alternatives.
However, suppose some OS manages to develop, patent, and field some sort of virtually complete malware protection. Those users might quickly outnumber others, and yet still be less profitable for malware to attack. The game is profit, not numbers.
Web servers are a different ballgame: They are not attacked to reveal credentials or take over open accounts, but to distribute malware and spam. In that role they have a certain worth to justify the attack investment, but comparing server attacks with user attacks is comparing apples and oranges.
“if you’re going to claim that its the majority player that’s most at risk, then why aren’t there more cracked Apache boxes out there”
Because the name of the game is profit, not winning more boxes, unless that somehow delivers the most profit.
“what few Apache exploits I’ve heard of recently have all targeted add-ons, not base Apache,”
Attackers have real goals and real costs. When an attacker can get the same benefit more easily by attacking add-ons, we can predict they will do that. It is just that simple.
Well-loved. Like or Dislike:
15 
9
Cranking out malware that targets other platforms? What malware is that? Unix was built with security in mind (and as a high priority) from the get-go. Windows wasn’t. Windows is a hardware interface more than an operating system. The tipping point is where it is profitable for organised crime to stay off the streets and hack away instead. Unix just makes the whole proposition harder by several orders of magnitude. This isn’t news. It’s been out there for years. Buy a clue.
Well-loved. Like or Dislike:
18 
14
Rick, I would add that Unix system administrators and users are typically going to be more vigilant than Windows users and administrators. I know that I am more conscious of the security weaknesses of the Apache servers that I had to set switches and compile, than the IIS servers I’ve used.
Like or Dislike:
1 
0
John, cheers, Unix admins are way more educated. Most of them are familiar with Windows (who isn’t) but Windows admins aren’t generally familiar with Unix.
(If they were then they wouldn’t be on Windows, would have advised against it, would have established draconian security procedures if they couldn’t get management’s ear, or just gone out and got a better job.)
But playing the security game with Unix makes sense. You can work with it. Security is not a pipe dream – it’s a real possibility (and therefore a responsibility). Unix shops (the good ones) work on an entirely different premise.
Windows shops don’t really attack security issues in the same way because they know they’re actually dealing with an impossible situation. They play ‘ketchup’ instead. Try to stay within striking distance of the bad guys – which means a few miles behind.
They go through the motions only. They know AV can’t protect them and yet they take all the patches and updates… But for what? It’s hopeless.
You can’t really care about security in a Windows shop because you’ll be tearing out your hair and screaming bloody murder all the time. You can’t help but care about security in a Unix shop because Unix is a cornerstone of Unix and you can’t blame Microsoft if your network gets hacked. Unix *can* be secured (and should be). Windows is beyond hope.
It’s both educational level and knowing whether real security is possible. Even the people from Microsoft in this comment thread know it to be true.
Well-loved. Like or Dislike:
8 
1
… because *security* is a cornerstone of Unix… DUH. Security was built into Unix from the ground up, from the get-go. Individual accounts, granularity in privilege levels, privilege escalation with authentication, full comprehensive file permissions… Windows is Unix in single user mode. Everything else – the Keystone Kops.
Like or Dislike:
5 
2
What is required is a separate trusted PATH to the user, either a hardware dongle which can authenticate TRANSACTIONS (eg, we describe one possible design and the rational http://www.icsi.berkeley.edu/cgi-bin/pubs/publication.pl?ID=002790 ), or a totally separate path (eg, like the SMS-based verification that some banks overseas are using).
ANYTHING that relies solely on the computer to authenticate a transaction after a user is authenticated can’t work.
Hot debate. What do you think?
11 
9
1. Someone mentioned using two factor SMS. Well, that’d be great, if I couldn’t intercept it. It’s not encrypted, and is readily available to anyone with a Ham Radio License. (While it is against federal law to decipher it, it still is received by your radio set.)
2. The fact that most US banks don’t want to move to 2-factor auth tokens, because they don’t want the overhead and infrastructure is criminal. Even PAYPAL, who isn’t a bank, has 2-factor security available, and YOU the user pay $5 for the key. Hello banks, why can’t YOU do this?
3. Like I said earlier, it’s not an OS issue, or an Open-Source v.s. Closed Source discussion. It’s about the fact that there is “No patch for stupid”.
4. I completely agree, that in this case, the user went to a different machine, with different controls and expected the same security. Sorry, that’s a User Failure.
5. See Pebkac 101.
Hot debate. What do you think?
6 
4
Actually, SMSs as pretty much all GSM (or newer) traffic *are* encrypted. But that’s not the point. Hackers can’t intercept SMSs because they don’t actually know who they’re hacking nor do they know when and where the unsuspectinc victim is going to log into his bank.
Like or Dislike:
1 
1
Damn straight it’s user failure. It’s user failure for expecting a Windows box to be secure, for not understanding how incredibly much spin Microsoft have put into the market (and by populating blog comments) etc. It’s ‘blame the user’ again – the mention of which got you to mod Brian himself down.
You people seem to have been tasked to do your damnedest to never let anyone blame Windows for anything. Oh so much money at stake – damn the torpedoes and damn the Internet! We need the cash! It’s our market!
Seriously – isn’t it time you told your boss you don’t want to do this dirty job anymore?
Like or Dislike:
3 
0
Ever consider the reason that this occurs more on windows based PCs is because they dominate the market share?
Not exactly a Apples to Apples comparison I’m afrid…
Like or Dislike:
3 
3
Better yet, let’s focus on Out Of Band Authentication or some other method to digitally “countersign” or confirm these type transactions. Why in the world we allow money to be transferred out of accounts with just a click of a mouse button is beyond me… For all the billions we lose annually through cyberfraud, banks could have engineered and put into place a global banking OOBA solution that would provide another layer of security using one of the most common devices – a telephone.
Well-loved. Like or Dislike:
18 
2
“let’s focus on Out Of Band Authentication or some other method to digitally “countersign” or confirm these type transactions.”
1. The “let’s” part of this involves influencing, coercing, or forcing a bank, and then all banks, into changing the way they do business. They love that. So all we need is a dictator “to get the trains to run on time,” er, I mean “to address malware.” But long before that happens, we can each take action, right now, today, and be running safe machines in a few days (or weeks, if we need a DVD writer and some DVD+RW discs). Waiting for things to be improved is not a great idea.
2. All of this authentication stuff is much trickier than it looks. The root problem is a bot infection which is resident in the customer computer and can act as a “man in the middle” between the customer and the bank. The bank does not have access to that machine. No on-line authentication of any sort, including RSA digital signatures, 2-factor and external dongles, can force security on a running bot.
3. Even off-line authentication by phone can be tricky. Most phones do not connect by secure wires to a central switch anymore. Nowadays many phones run on VOIP broadband, and are not particularly secure. Nor are cells, nor is texting. And of course none of the phone authentication can go back through the infected computer. So the bank must be forced (see 1, above) to take tedious voice approvals, along with accepting responsibility for knowing the correct voice or have yet more authentication.
4. Banks can enforce controls on where money is sent, but the mules are in the US, and the amounts are split.
5. Even in the best possible situation, having a resident bot eliminates secrecy. Your financial records belong to the bot-herder. There exist no tools which guarantee to expose such a bot. So even finding some sort of working authentication protocol does not really solve the problem. The real problem is the bot infection in the customer computer which possibly nobody can detect.
6. By booting from a DVD, you can avoid existing infection, which really does solve that problem. Yes, such a system can get malware, but only until it is restarted. Conventional hard-drive-boot systems remain infected until their OS is re-installed.
Well-loved. Like or Dislike:
13 
2
In the UK I have a personal pin reader. When I set up a transaction, the web site sends me a security code.
I put my debit card in the pin reader, enter the security code, then enter my pin. The reader gives me an authorisation code, which I give back to the web site.
If my banking credentials are stolen, an attacker can’t generate the authorisation code, because it relies on me holding the (stand alone) reader and my debit card in my hand. (Actually, I think I can use ANY reader – what matters is the debit card.)
Cheers,
Wol
Well-loved. Like or Dislike:
4 
0
CAP readers are better than nothing however its not true transaction authentication. The trojans hijack the browser and then either wait for you to login or do another transfer and reroute their own session challenge response digits to you while they are authenticating their own transfer in the background. If the trojan is setup right it can even get a few transactions out of you by giving you a failed message please try again, and since it owns the browser when you do login to check your balance they inject html with the original balance before their outgoing transactions so you dont even know youve been robbed.
Originally the plan was for the big 3 banks in the UK to be able to interchange their users cards with each others readers so there would be a cost saving, actually thats how the system was originally sold with the idea that a household could share one CAP reader but typically banks implemented slightly different standards which prevent the cards being interchanged so readily.
Well-loved. Like or Dislike:
6 
0
“2. All of this authentication stuff is much trickier than it looks. The root problem is a bot infection which is resident in the customer computer and can act as a “man in the middle” between the customer and the bank. The bank does not have access to that machine. No on-line authentication of any sort, including RSA digital signatures, 2-factor and external dongles, can force security on a running bot.”
Please explain how you can clear out my account, if I’m using two factor authentication. Even if you install a trojan horse with 100% control of my desktop, you’re not going to get the key off of my RSA Token, without coming into my house and putting a gun to my head. (please note; I’ll probably meet you 1/2 with with my own.)
2-factor authentication is NOT difficult, as proven by Taiwanese Banks, some UK banks, and Paypal.
As your bank to support true 2-factor authentication. I have, and continue to ask, and if we have enough voices, perhaps the banks will actually provide the services that WE THE CUSTOMERS are requesting.
I for one, am now looking for a Credit Union on the West Coast, that will support 2-factor with a physical token.
Like or Dislike:
2 
3
The problem is in the language, 2FA encompasses alot of authentication types. To break it down simply OTP (One Time Password) 2FA is broken and regularly being broken by the trojans. Let me explain how they do it.
There are 2 primary ways, first the oldschool phishing method (no trojan needed) once the user believes they are interacting with their real banking website they simply enter the OTP token code which gets instantly sent from the attackers fake site to the attacker for a login from the attackers session. The attackers simply added jabber instant messenger clients to their fake sites code to get the OTP codes back to them within the 30 second windows.
The second method is the same idea but via your real browser which a trojan has hijacked, (there are modules for all the different browsers) so now the address bar looks correct but everything including the OTP codes are being sent to the attackers automated session. You asked how they would get you to do this, essentially they just wait until you need to do it and detect that https connection or with phishing they give you an email saying you need to log in right now for some reason. Now the next part is where most people dont think much. Most banks using OTP tokens (including my own) request another OTP when you go to make an outgoing transfer or add a new outgoing account. The trojan / phishing site cant show the user this but they need another value after the initial login to do this. Their solution is simple, the user gets a “session expired… please login again” which actually happens to me all the time when im internet banking so im not suprised everyone falls for it. You are shown a new login page and you enter another OTP value thinking you are logging in, but in the background the attacker has just used that new OTP login value to authenticate his outgoing transfer.
An this is the essence of the problem which needs to be addressed not 2FA so much but 2FA with TRANSACTION AUTHENTICATION. The generic random numbers of OTP give no information to the user as to WHAT they are authenticating. This allows the trojans to play all sorts of games in the background well beyond simply key logging. The user needs to be able to see for themselves on the separate device exactly what they are authenticating for 2FA to be really secure. Only a very few of the electronic tokens can do transaction authentication, I am constantly outlining them and anyone else is free to chip in, they are ZTIC from IBM (a USB device) Tokens with transaction authentication built in (identifiable with an added keyboard on them not just a single button) and my own non electronic method Passwindow.
Well-loved. Like or Dislike:
4 
0
@dc0de:
“Please explain how you can clear out my account, if I’m using two factor authentication.”
I had thought the concept of having an active bot in the customer computer as a man-in-the-middle between user and bank was pretty clear, but apparently I was wrong (again!). Fortunately, various other sources describe the problem in more detail:
“Once pitched as an additional layer of security for E-banking transactions, two-factor authentication is slowly becoming an easy to bypass authentication process”
http://www.zdnet.com/blog/security/modern-banker-malware-undermines-two-factor-authentication/4402
“Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication”
http://www.gartner.com/DisplayDocument?id=1245013&ref=g_fromdoc
The reality that a resident bot can “defeat” 2-factor has been known for some time. So my question is: How does the “2-factor is the silver bullet for online banking security” meme keep rising from the dead? Who is pushing this thing? Are we actually seeing propaganda from the attackers?
“2-factor authentication is NOT difficult, as proven by Taiwanese Banks, some UK banks, and Paypal.”
Perhaps, but the PayPal football does not protect against bots. So it may be “NOT difficult,” but it also does not work.
One reason the banks are not doing more is that it is no longer clear what they could do. The bot is in the customer computer, and there is no tool or set of tools guaranteed to expose it.
In my view there is currently just one option for secure online banking, and that is to load the OS from CD or DVD. Ultimately, no OS which boots from a conventional hard drive (or writable flash) can be considered secure. No OS can be secure on its own, because all large, complex systems have flaws.
Well-loved. Like or Dislike:
5 
1
‘a mac machine is just as likely to have a keylogger as anything’
Goes into the Hall of Fame as one of the all-time best magic tricks ever.
Like or Dislike:
0 
3
Hey i could code one right now if u wanted!
Like or Dislike:
3 
0
I have become a big fan of this blog but I do think you need to address the suggestion that using one operating system rather than another was the primary issue in this case.
In terms of one having a larger market share Windows is associated with greater risk, but in terms of their technical merits there probably isn’t much difference. If anything Microsoft has been much more aggressive about developing secure development procedures, releasing patches, and utilizing technologies like ASLR in recent years just because their exposure is greater.
User behavior is a much much more significant factor. The money was lost because he used a home computer used by children to play games etc. And my guess probably running with admin privileges, not kept up-to-date with OS and application patches, etc. Sure there’s less malware for OS X but there are Trojans for OS X as well (e.g. the OSX/OpinionSpy Trojan that’s in the media at the moment) and a lot of PDF and other exploits will work on OS X.
Telling people to use OS X instead of Windows is a bit like saying if you drive intoxicated at 90mph and swerve in and out of traffic better do it in an Mercedes because your chances of survival will be better. That may be true but the real problem/solution isn’t the model of car.
Well-loved. Like or Dislike:
32 
11
Thanks for your comment Alan. I want to be *crystal* clear about something. My advice about Windows vs. live CDs or Macs, or whatever alternative has always been in the context of online banking, and I’ve been clear that I’m even saying this is mainly a big deal for business owners banking online.
I’m not saying people should abandon Windows because Macs or LiveCDs will make the world sing in harmony. I’m merely saying if you’re a business, and you bank online, you should *strongly* consider doing at least the banking part from a non-Windows machine.
We can argue about whether Windows is getting a fair shake if you like. I tend to side with the little guy here who doesn’t give a rat’s behind about how Microsoft or Apple feels about all this. They just want to be able to continue existing and not having to worry about a single virus infection wiping out their entire business.
Well-loved. Like or Dislike:
33 
7
Brian,
Fair enough, but if the focus is commercial online banking the solution isn’t whether you use this operating system or that operating system. Focusing on which operating system is a security distraction.
The solution is using a LiveCD. A LiveCD probably means a Linux variant but it’s not the brand of OS as such that makes it secure but that it’s an OS on read-only media that used strictly for online banking and no other purpose. May even have firewall rules pre-configured to only allowed access to/from bank’s IP addresses.
If you want security you shouldn’t be doing online banking from a Windows, OS X or a Linux PC (from home, no less!) that is also used for other purposes such as browsing the Internet, online games, etc.
Alan.
Well-loved. Like or Dislike:
23 
3
Here’s the most important line from this story:
“But the advice about banking on a dedicated, non-Windows machine only works if you follow it all the time. As this incident shows, it does no good for small business owners to use a Live CD or a Mac or some other approach only some of the time.”
So, if you choose to use a dedicated Windows system for online banking, great. Going the LiveCD route? Perfect. But be consistent. At the risk of…er..stretching the analogy, it’s kind of like condom use: It does no good to use them only *some of the time*.
Well-loved. Like or Dislike:
19 
6
Brian,
I think we’re largely in agreement. My gripe is just that the “Using Windows…” framing is misleading because it isn’t the fact that he used Windows that caused him to lose $100K. He lost $100K because he used a machine–a home computer used by kids to browse, chat and play games online–he should have realized wasn’t suitable for doing online banking transactions.
Alan.
Well-loved. Like or Dislike:
15 
4
Oh joy. We can agree that a Live CD is the solution? Wonderful.
As one alert reader pointed out to me today, the German government just released a version of Knoppix that they’re now recommending for online banking.
https://www.bsi.bund.de/DE/Themen/ProdukteTools/SecuritySurfCD/securitysurfcd_node.html
Well-loved. Like or Dislike:
14 
10
I’d like to point out something that was a pretty widely read tech item yesterday, Alan.
Financial Times: Google ditches Windows on security concerns
Google, a company with 10,000 employees around the world, is officially ditching Windows. This has to be seen as pretty tangible proof that Google, as a company, does not trust Windows to be secure in any way, shape or form. They do trust Linux and Apple, and their spokesperson in this case is willing to say so explicitly.
Windows is, let’s be 100% frank here, swiss cheese. The average new Windows PC has about as much built-in rock-solid security as a mosquito net.
Yes this guy should have known better, but the fact that, really, any Windows machine that he himself had never set up should always be perceived as so insecure that anything he did with it is monitored and recorded by criminals, is a pretty strong statement that Windows effectively is not secure, full stop.
Microsoft can blame Adobe and third party programs all it wants. The reality is: any Windows machine, from day zero, is extremely susceptible to infection just by using Internet Explorer to visit a perfectly legitimate website which was susceptible to a compromise of one sort or another. This is well-documented. The criminals behind all of these thefts know this, and they are counting on the average business owner to not bother with securing it. This is the only reason this is successful.
I quite often have to use Windows in most environments I work in. I don’t care to wave flags about one OS or another, I use all of them. Every job I’ve had over many years just by default: it’s a Windows shop. I take many extra steps to secure my machine as completely as possible. That takes a lot of extra effort which most people will not do.
Your claim that the ‘”Using Windows…” framing is misleading’ is, in my opinion, and apparently that of Google worldwide, incorrect.
SiL / IKS / concerned citizen
Well-loved. Like or Dislike:
17 
11
There’s no reply button for Spamislame’s post below this one but here’s my take of the Google/Windows story:
Lots of people think the to the “Google ditches Windows for security reasons” story in the FT is silly e.g. E.g. http://www.infoworld.com/print/125722
1. The story is very badly sourced. Google hasn’t said what it is doing or why.
2. If Google were ditching Windows for the reasons given by the FT, which many doubt, it shows an amazing degree of clueless for a high-tech company of Google’s standing. Good marketing FUD though!
3. Google’s recent ‘Chinese’ security issues stemmed from running a machine with admin rights, an out-dated operating system, and old software. Under the circumstances blaming Windows is disingenuous.
4. Google is a big target so whatever OS they happen to use will attract motivated hackers so using a less commonly targeted OS doesn’t help them. If anyone thinks using OS X will make Google more secure Google “Charlie Miller Mac” or see links I posted elsewhere in this discussion.
Hot debate. What do you think?
15 
12
‘but in terms of their technical merits there probably isn’t much difference’
Define ‘probably’. Tell us a bit about your background and how you arrived at that conclusion. Cheers.
Like or Dislike:
2 
1
Thank you for pointing out the pattern: I sometimes feel like a lone voice wailing in the wilderness.
There are a few safe ways to use windows, though less convienent than most uses will tolerate. One way to use VMware in non-persistent mode and reboot after each site is accessed. Another is to burn the O/S onto a DVD and use an in-memory filesystem for all temporary storage, rebooting after each operation. The last I know is to install the system, write-lock the drive at the hardware level, and then use in-memory storage for anything temporary.
These have proven useful when I’ve had to access sites that require windows (e.g., they use exploder-specific options).
Then again, people could just follow your advice and buy a Mac
Hot debate. What do you think?
8 
9
A question about live CDs vs Virtual Machines. I have been using virtualbox for a while (windows host). Would a linux VM running in such a scenario be immune from malware running on the windows host? Are the guests in virtual box isolated enough?
A vm starts so much faster than a boot of a live cd…..
Like or Dislike:
2 
1
@Gord
Such setup might be safe for the time being, but with malware getting more sophisticated as such rapid pace…will probably not be in the future. If the Host computer gets infected, a virtualization-aware trojan cannot get directly to your guest OS image (which is encrypted), but it might infect the virtualization software itself and finally infect the guest OS this way the first time you boot it. Sure, this being Linux, is a lot less likely to encounter such malware, but the risks are further reduced if the host OS is not used for any activity except running the virtualization software and you use a Windows instance as a Guest OS also.
Well-loved. Like or Dislike:
5 
1
No, not to a key logger. You are running the “safe OS” on an unsafe OS. If there is a keylogger on the base OS, you are still done for. It may help in some instances, for example if the malware only pulls saved passwords or something similiar, but it isn’t trusted. The nice thing about a live CD is now you are booting into a fresh known trusted environment everytime. Once you start messing with it, as soon as you pull the disk… everything is reset… and the CD is “trusted” again.
Well-loved. Like or Dislike:
9 
1
Trust starts at the base and works its way up. Without trusted hardware, you have no assurance that your boot CD is safe.
http://en.wikipedia.org/wiki/Rootkit#Hardware.2FFirmware
Furthermore, all this talk of boot CD’s is terribly clunky. It completely takes away from the point of online banking: Convenience.
Recommending boot CD’s to solve online banking is as eloquent as telling Toyota owners to attach a mattress to the front of their cars in case the gas peddle sticks.
Much of the security industry today has focused on trying to secure the end-user system. If we assume that the end-user system is compromised then we must develop new mitigating controls.
Well-loved. Like or Dislike:
10 
3
‘Another is to burn the O/S onto a DVD and use an in-memory filesystem for all temporary storage, rebooting after each operation. The last I know is to install the system, write-lock the drive at the hardware level, and then use in-memory storage for anything temporary.’
This sidesteps the fact that the Registry is basically dynamic and large parts of it are ‘volatile’ – they’re never saved to disk. And yet they determine how the system works. Your ‘current control set’ defines the use of the hardware. That’s volatile and never reaches your hard drive. That can be corrupted by intrusion code and with no need to ever go to disk.
Like or Dislike:
0 
0
Windows drivers are ‘layered’. [See http://bit.ly/c9WklE @ Wiki.] With proper access – which the hack will attempt to achieve – rogue code can put in a new layer to for example log keystrokes. This without getting to disk. True, the box might be OK the next time you boot that way, but you can still get infected on a CD-boot surfing expedition using Windows.
Like or Dislike:
1 
0
@BrianKrebs
“Finally, I’d take strong exception to your blanket statement that Macs are just as likely to get a keylogger as anything. ALL of the victims I’ve interviewed (>100) were Windows users. Seeing a pattern here?”
Hmmm. While I agree that your current empirical data tends to lean towards untrusted Windows computers, I don’t think – as a researcher – one can simply discount untrusted non-Windows computers. This falls into that “black swan” zone, that is, one can’t prove there aren’t black swans just because all you have found so far is white swans. The same goes here, just because all you have found so far are untrusted Windows computers, doesn’t mean there are no untrusted non-Windows computers.
It has been shown that non-Windows computers are susceptible to malware, and I think that we are just currently seeing the statistics of market share (there are just a lot more Windows computers being used than non-Windows computers).
Well-loved. Like or Dislike:
16 
8
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
3 
9
Q: How many of these exploits work at all with Opera on Windos or OS?X?
Q: How many work with Opera on Linux?
Q: How many work with lynx on *any* O/S (maybe text browsers without embedded languages still have real use)?
Well-loved. Like or Dislike:
11 
6
What’s your point? Are you saying that malware could not target those alternate software pieces, or that they just haven’t been targeted yet?
Well-loved. Like or Dislike:
5 
0
Nice, real nice! Blame Windows when the real issue here is the decision by Mr. Green to use a “shared” family PC! He could have used a dedicated Windows system with as much efficacy as a Mac or a Live CD. To ONLY point blame at the OS is using logical fallacy.
The cum hoc ergo propter hoc logical fallacy can be expressed as follows:
1. A occurs in correlation with B.
2. Therefore, A causes B.
In this type of logical fallacy, one makes a premature conclusion about causality after observing only a correlation between two or more factors. Generally, if one factor (A) is observed to only be correlated with another factor (B), it is sometimes taken for granted that A is causing B even when no evidence supports this. This is a logical fallacy because there are at least five possibilities:
1.A may be the cause of B.
2.B may be the cause of A.
3.some unknown third factor C may actually be the cause of both A and B.
4.there may be a combination of the above three relationships. For example, B may be the cause of A at the same time as A is the cause of B (contradicting that the only relationship between A and B is that A causes B). This describes a self-reinforcing system.
5.the “relationship” is a coincidence or so complex or indirect that it is more effectively called a coincidence (i.e. two events occurring at the same time that have no direct relationship to each other besides the fact that they are occurring at the same time). A larger sample size helps to reduce the chance of a coincidence, unless there is a systematic error in the experiment.
In other words, there can be no conclusion made regarding the existence or the direction of a cause and effect relationship only from the fact that A and B are correlated. Determining whether there is an actual cause and effect relationship requires further investigation, even when the relationship between A and B is statistically significant, a large effect size is observed, or a large part of the variance is explained.
Hot debate. What do you think?
22 
23
‘Nice, real nice! Blame Windows when the real issue here is the decision by Mr. Green to use a “shared” family PC!’
You’re hurting people’s heads.
Hot debate. What do you think?
5 
4
A hurdle is a hurdle, I understand that nothing is perfect, but what I am trying to argue is that having a Mac is just one more hurdle for an attacker to overcome, which I do agree with, but so is the RSA key. Unconditional security is impossible, but putting as many speed bumps in front of an attacker will cause them to move on to the next person.
I do know one person that had all their credentials stolen from Mac Spyware. Granted they installed something stupid, but Windows is often the same thing. Linux has been hit as well. Relying on a platform that you believe is resilient is going to bite you because I often find these users a lot more careless. I would like to see users using USB keys that are READ only that you can boot off of that just contain a web browser.
Hurdles are good, so long as it doesn’t present a user a false sense of security. I would much rather be using something along the lines of an RSA key then relying on the MAC platform.
I would also like to see something along the lines of banks texting you everytime there is any large transaction done of a certain amount that you define (say $1000 bucks in one week as a default, change it for your use).
I still enjoy your blog by the way! Just a minor disagreement. I also have a bitter hatred for Windows, and use Ubuntu for my home desktop among other versions of Linux, but I feel that telling someone to use Linux to fix their problems is about the worst thing you could do.
Well-loved. Like or Dislike:
11 
4
One more thought. I have often also urged people to simply use a dedicated Windows system for online banking. That is, get a cheap netbook or laptop, use it for online banking and for nothing else (not facebooking or emailing or chatting) and put it in a drawer when you’re done with it.
The point is recognizing that the banks have put almost all of the security on the shoulders of the commercial customer. As such, it seems prudent to assume that the customer is 100 percent responsible for securing the online baking transaction. When viewed this way, using a dedicated machine or LiveCD doesn’t sound like such a drastic solution.
Well-loved. Like or Dislike:
13 
3
“The point is recognizing that the banks have put almost all of the security on the shoulders of the commercial customer.”
I agree 100% on this.. I also feel that businesses should have similiar protection as consumers on this issue.
Well-loved. Like or Dislike:
14 
1
“The point is recognizing that the banks have put almost all of the security on the shoulders of the commercial customer. ”
Yes, they have, just like the law puts driving safely on the shoulders of the driver. Try convincing a judge that you should not have to pay for the speeding ticket just because it was your car, your license plate and you were in the driver’s seat.
Just because you’ve been driving for years or using computers for years does not eliminate personal accountability for your actions and inactions.
If you want to drive around on bald tires and that contributes to an accident, it’s still your fault.
Hot debate. What do you think?
12 
9
I think you have “hit the nail on the head” with your statement:
“The point is recognizing that the banks have put almost all of the security on the shoulders of the commercial customer.”
That’s the root of the problem here – banks need to accept responsibility for what is really a bank problem. They need to stop trying to shift the focus away from themselves – and we need to stop reinforcing this behavior – distracting everyone with non-issues like what OS the customer is using (Windows or Mac or Live CD or whatever).
Brian, one of your best suggestions deserves repeating here:
“Any solution that does not assume the customer’s machine *is already compromised by malware* stands zero chance of beating the bad guys at their own game. ”
This must be the baseline for all online banking.
You should be using your forum here to focus on the real issue – poor security on the bank side – not the “band-aid” solution which focuses on which OS the customer is using. With your blog posts getting linked from other sites (congratulations!), I would much rather see a link to a blog commenting on how inadequate bank security is, suggesting that banks need to seriously consider the real problems and provide better security, instead of one suggesting which OS customers should be using for online banking.
Well-loved. Like or Dislike:
13 
7
Absolutely!
The banks need to provide stronger security measures. In order to cut their costs, they are happy to make everything digitally processed by the machines, while they twiddle their thumbs. The security infrastructure is inadequate. As a software architect I can think up numerous ways to enforce security that will conform with common sense and will involve not only the cyberspace but also various acute human decisions controllable by the banks and their customers with enough flexibility for the customer to tighten or relax the level of security available to them (if they are sticklers for relaxed security).
But, the bottom line is that the banks need to provide more security. There are instances of fraud where any bozo can see the fraudulent pattern in the transactions. There are ways to identify those patterns in real-time and the banks can automatically halt such transactions and ring up a human to clear the transactions.
The OS is a minor issue. Yes, Windows is the worst of the lot, but no OS is bullet-proof either. As it has been pointed out earlier, a completely locked down version (such as a Live CD) will do the job, even if it is Windows (e.g. Bart PE).
Hot debate. What do you think?
7 
5
“The OS is a minor issue. Yes, Windows is the worst of the lot, but no OS is bullet-proof either. ”
Abstractly, Windows security is probably *better* than the others, having been honed under attack for many years. But that does not matter as long as openings continue to be found, and while malware profits continue to be best when attacking Windows.
“As it has been pointed out earlier, a completely locked down version (such as a Live CD) will do the job, even if it is Windows (e.g. Bart PE).”
I have used a Bart PE, and would be interested to hear about anyone actually doing that in practice. First, the OS is big, and loading is very, very slow. But the real problem is that the browser environment necessarily changes, and there is no facility to support such changes.
When a problem is found and fixed in a browser, just using the old version can be a serious error. We cannot just use the old OS either. Keeping up will be more work than I would do.
In contrast, the Puppy Linux system allows the boot DVD (DVD+RW) to be updated, although in restricted ways. First, the user must approve updates, which are slow and obvious. Next, it makes sense to do updates early in a session, before getting into anything hinky. And each update is added as a separate DVD “session,” which can be voided if something bad was there. It is easy to prevent DVD writes completely, simply by removing the DVD (Puppy functions completely in RAM). Of course, making a brand new DVD takes about 5 minutes if the original installation was copied and saved as a base.
The advantage of Puppy Linux is not just being Linux, or even booting from DVD, but also in allowing the DVD to be updated in response to a continuing flow of real-world patches. The alternative is not pretty.
Well-loved. Like or Dislike:
8 
1
You’re right. Bart PE can be a pain to load (in fact I only tried a few times a few years ago and gave up). I am planning on exploring the UBCD4Win option. That one seems promising but I haven’t tried it yet (just throwing out another option for Windows users). And this is just because many Win users feel intimidated by Linux, and besides, familiarity with your main turf is always more welcome. Those who are bold enough to try out something different, Linux is probably the only and the best option. I haven’t seen any OS X live versions (Apple licensing would kill such efforts), and I’m pretty sure no common user would touch Unix!
I have pretty high hopes from Chrome OS (ergo Android which will merge its path with Chrome as per Google). We’ll see in due course of time.
Like or Dislike:
3 
0
Sounds great, but a dedicated Mac machine is pretty expensive… I can get a cheap Linux netbook for 200 bucks! Doesn’t need to be fancy for this application. I feel like telling users this advice is a lot more likely to happen if it doesn’t put them down 1000 bucks.
Well-loved. Like or Dislike:
11 
1
“a dedicated Mac machine is pretty expensive… I can get a cheap Linux netbook for 200 bucks!”
But a Linux LiveDVD is free. And you can use it on your existing Windows machine. There is no need for a new machine.
Even if the Windows machine is infected, a DVD boot avoids the infection.
Well-loved. Like or Dislike:
11 
1
Hate to beat a dead horse as I’ve posted this in other threads. But, it is highly relevent to Mr. Green’s decision to use a PC of dubious nature. It also speaks to the suggestion of using other OS’s:
Law #10: Technology is not a panacea
No matter how sophisticated the hardware and software become, they’ll never replace common sense and sound security policies and practices.
The rest of the laws are very important as well!
http://itknowledgeexchange.techtarget.com/security-corner/10-immutable-laws-of-security
Well-loved. Like or Dislike:
12 
4
Technology and human behaviour work together.
A good technical solution will provide sufficient information or controls for the correct human behaviour to happen, but many of the attacks are impressive in their ability to bypass our mental defences.
Brian has identified that the read-only operating system provides a significant level of technological protection and the only reason people don’t use it is either because they don’t know about this solution or that they believe it is a poor risk tradeoff in the time taken to use it compared with the liklihood of financial loss.
Maybe this indicates that we need better technological solutions or a change in the way that the bank is comfortable about a transaction, but no solution is without cost – if additional measures add 10 minutes/week to 1 million people we may reduce the cost to a few careless invididuals at a larger cost to society as a whole.
Personally, I have been most impressed by the ASUS Expressgate (I think) instant-on browser on my recent motherboard as a simple, quickly accessed trusted interface. It is a shame you have to reboot to access it – if they bundled a vmware player for it I would be impressed.
Like or Dislike:
0 
0
“Personally, I have been most impressed by the ASUS Expressgate (I think) instant-on browser on my recent motherboard as a simple, quickly accessed trusted interface.”
Express Gate certainly sounded like a solution to me when I first heard about it. After a little research and thought, it seemed less helpful. Browsers need to be patched frequently, and add-ons are important for browsing security.
Security updates are not so much about improved features as fixing vulnerabilities. The time has long passed when we could just use an old system and be satisfied with that. A browser which does not allow security updates becomes increasingly vulnerable.
Then, after we get updates, we have to prevent non-update writes to the boot flash, or we are open to malware infection again. All this can be done, it just has not been done.
“It is a shame you have to reboot to access it – if they bundled a vmware player for it I would be impressed.”
Running vmware from Microsoft Windows is not the same as running on “bare metal” with nothing else there. The base problem is malware infecting the boot drive. When we boot Windows, that potentially puts malware in control of everything, which makes the virtual machine sandbox untrustable. The security goal should be to not boot from any easily-writable drive which malware could have infected.
Like or Dislike:
1 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
13 
28
“Blame the user!” What a brilliant idea. I wonder why nobody has *ever* thought of doing this.
Thanks for your comment.
Well-loved. Like or Dislike:
20 
13
I agree with Brian on this one. The organization that has the resources and the ability to solve these problems is the banks, not the user. The burden of responsibility needs to be put on the one who has the ability to fix it. While I agree that to a certain extent the user could be blamed, we should also realize that if we always blame the user and they are always help responsible then banks aren’t going to do anything to help with this fight.
Well-loved. Like or Dislike:
11 
1
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
0 
6
While it may not have been the intention, the article title and the “from his trusty Mac laptop” in the first sentence certainly come across as biased. The comments show many took it that way too. Then again, putting on my tinfoil hat, may be it was intentional to drive up traffic!
Anyway, as to the “blame the user”, it’s not about putting all the blame on them, but to make the point that the user has just as much responsibility in securing their end of the deal. Something Mr. Green was doing until his dreadful mistake.
It is unfair to ask the bank to assume all the responsibility when in virtually every case, the problem has been the end user’s failure to secure their end. To be absolutetly blunt, let Darwin’s theory sort it all out! Or as I like to say, “Stupid is as stupid does!” I’m sure this will be the last time Mr. Green uses an unsecured computer!
Well-loved. Like or Dislike:
12 
8
“the user has just as much responsibility in securing their end of the deal.”
That’s like saying that an owner of a Toyota has just as much responsibility for the safety of the car as the manufacturer.
The fact is that banks have created an environment where online transactions are allowed, and even encouraged, to be originated from demonstrably unsecurable environments. That’s not a user issue.
Automotives come with user manuals and clear simple to follow rules for safe operation. An operator that violates those rules is held responsible for unsafe operation. No such thing exists with respect to computers and the internet. I highly doubt that the bank had rules or even suggestions about not using one’s home PC to originate online transactions.
Until banks have clear and easily implementable security rules that are enforced, banks should be held responsible for any and all fraud that occurs. Getting hit by malware that even Google can’t keep completely off their systems should not be cause to be held responsible for baking fraud.
Well-loved. Like or Dislike:
15 
2
Circumstances alter cases. This user WAS sophisticated and knowledgeable enough to take precautions, and then hasty and careless enough NOT to implement them. All of the other instances I’ve read about on this blog, the victims were less sophisticated and knowledgeable. If I’m the judge, this guy pays some of the freight.
Well-loved. Like or Dislike:
7 
0
‘On the bright side, though, the owner’s wife now has a new Mac.”’
I’ll bet the kids still browse the web having auto-logged in to an administrative user. No lesson of value was actually learned here.
Well-loved. Like or Dislike:
14 
6
I don’t want to get into a this OS is better than that OS fight as I’m not sure there are significant technical advantages of one OS over and another. I really think the issue here is user behavior and procedures for accessing banks rather than the praticular brand of OS.
But regarding OS X there is plenty of evidence that it isn’t technically more secure than Windows. Charlie Miller has no troubled compromising OS X every year an CanSecWest, Apple is notoriously slow at releasing significant security updates for Java and other apps, etc. If it made economic sense criminals would have no problems written banking malware for OS X.
OS X is ‘secure’ because it is targeted less often. You could make the same claim for Linux. As OS X market share grows, or even if lots more businesses started using OS X for online banking, we’d see more malware exploiting OS X. OS X is only a solution in the sense that it’s security by economic obscurity (from criminal’s perspective) which isn’t really very reliable security at all.
Well-loved. Like or Dislike:
10 
4
“OS X is ’secure’ because it is targeted less often. You could make the same claim for Linux.”
Exactly! Actually, Microsoft Windows is likely to be significantly stronger, abstractly, than OS’s which are not being exploited. But that strength is not effective until it resists exploitation and experience would lead us to believe that will never happen. Large, complex systems always have errors.
“OS X is only a solution in the sense that it’s security by economic obscurity (from criminal’s perspective) which isn’t really very reliable security at all.”
Well, it may gain a little time, which can be useful. But the real problem is infection, and the tasty hard drive in Macs can be infected just like Windows. If we instead move to something which is vastly harder to infect (there being no perfection in this world), we get real security, not obscurity. So boot from a LiveDVD, which for now generally means Linux. See my computer security articles and set up the Puppy Linux which I am using right now.
http://www.ciphersbyritter.com/COMPSEC/PCSECBAN.HTM
Well-loved. Like or Dislike:
9 
5
Most users cannot pronounce “TCP/IP”; doesn’t mean that cannot or do not use it.
*NIX system also provide a better suite of tools for security: chroot to a single-use tmpfs can be made transparent to the user (aside from a disk LED lighting up). Ditto readonly mounts. XEN and VMware are more attractive options on a *NIX platform than Windows.
Maybe there is a real market for single-use netbooks configured for secure banking?
Well-loved. Like or Dislike:
6 
1
The other takeaway is that time spent keeping an eye on the safety and security of our families whilst online is not wasted!
Hot debate. What do you think?
5 
4
I’m sorry to see a trend in which the percentage of transactions successfully reversed is decreasing and that thieves are getting better in keeping more of the monies stolen. Macs are almost for sure safer, but good Linux distributions are just as user friendly and safe (and much cheaper). Besides, for users not prepared to completely jump in Non-Windows bandwagons they can easily dual-boot. Until malware gets sophisticated enough to write to ext3 filesystems from inside Windows, this should be quite safe. Yet a better way, install virtualization software and a firewall/antivirus, never use your host operating system to install anything else or to go (directly) to Internet, create a virual instance with you favorite OS for day to day use and a few OS templates, which you can deploy anew every time you want to perform any sensitive operation.
Well-loved. Like or Dislike:
4 
0
Just to reinforce – it’s not so much that the Mac is invulnerable, but that it isn’t targeted. The best solution is a banking-only system or a live-CD, no matter what the OS. Just today, there is a bulletin about new Mac malware called OSX/Onionspy
http://isc.sans.org/diary.html?storyid=8890
Well-loved. Like or Dislike:
9 
1
So, if im browsing on my invincible MacBook with Safari’s 2-years-and-counting security hole
(http://www.zdnet.com/blog/security/unpatched-drive-by-download-flaw-in-apple-safari-browser/6397),
and then someone tries to drop a keylogger on my desktop, along with other spyware readily available from a Google search
(http://www.google.com/search?q=keylogger+for+mac&sourceid=ie7&rls=com.microsoft:en-us:IE-SearchBox&ie=&oe=),
then I won’t get exploited? I still don’t understand why people use the Mac as their golden calf.
The Windows machine should be updated with all the patches and virus scanners just like a Linux or Mac; that is and always will be the user’s responsibility.
And the bank should employ some better security like the ones discussed in the comments from other users above, because security will always be a speed bump. It will NEVER be a brick wall unless you unplug from the network! So why not add some more speed bumps, some bigger, some smaller? Do you use locks on your house at home? Why? Someone could come by with a lock pick with full access to your house in minutes. ADT security system? It won’t STOP someone from stealing your TV and running upstairs to snag the jewelry box before the police come. It only deters people who are not willing to go any further. If you want to secure your house, bury it underground with no windows or doors. If you want to secure your computer, don’t use the network.
And for people who don’t want to fool themselves, keep your stuff patched, updated, and if the bank doesn’t use enough security, then find another bank. But for goodness sake, man up for your mistakes!
Apparently Mac doesn’t take their browser flaws seriously, but if you want to just pray to your golden calf, maybe everything will be ok.
Well-loved. Like or Dislike:
17 
6
I haven’t been involved in a flame war in a while, this is exciting, but I think after this one I need to get back to work.
This is proof that Apple doesn’t take security seriously and in turn this rubs off onto their users. Saying that I can pop up files on your desktop by visiting a site, and Apple saying that is a feature not a bug is where the problem stems from. Their commercials making fun of PCs for malware is funny and all, but makes their users feel like MAC can do no wrong and that is there is something on their desktop they need to click on it! Apple was years late to include both DEP and Address Space Layer Randomization, and so far people who have studied it have said it sucks http://www.laconicsecurity.com/aslr-leopard-versus-vista.html. To make matters worst they only give you the feature if you upgrade (which costs money). Honestly Microsoft for all things that can be said bad about them takes security far more seriously then Apple.
Well-loved. Like or Dislike:
12 
3
That security hole in Safari… Yeah, that’s only on Safari for Windows. Just sayin’
Well-loved. Like or Dislike:
9 
4
In a nutshell the golden calf, from a engineering perspective, is pretty easy to explain. The system is maintainable and isn’t trying to scale a collapsed technology.
The Registry is evil. DLLs (not shared libraries per say) are evil. The MS security model is nothing to write home about.
OS X is based on BSD Unix, an OS that was designed from the beginning to maintain privilege separation. Apple realized years ago it would be worth while to have a few years of pain to have a stronger OS – hence the change. MS has been polishing the same turd since the beginning. Windows was originally designed to be a basic presentation level tool and then OS level features were hacked under neath damaging its foundation so to speak. Its a fundamental difference between how Unix and MS people think – one is sustainable at a fundamental level because it depends on a modular experience and the other is not.
I would like to say that Linux will be strong long term, but I think the lack of 3D accelerated graphics will kill it off as a workstation…
Well-loved. Like or Dislike:
15 
8
I hate it when this Mac drama takes over the blog conversation, and I agree with Marty: The banks should be doing their part to safeguard small business owners’ online accounts. Why are business accounts treated so differently than personal ones?
Well-loved. Like or Dislike:
9 
0
Why? Because the consumer protection laws give banks certain liability for consumer account fraud, but not for commercial accounts. You think banks and credit card companies eat consumer fraud out of the goodness of their hearts and pocketbooks?
Well-loved. Like or Dislike:
8 
0
Yes, unfortunately, the post comments have degraded into an irrelevant discussion about end user operating systems.
To restate one of Brian’s most profound statements regarding online banking:
“Any solution that does not assume the customer’s machine *is already compromised by malware* stands zero chance of beating the bad guys at their own game. ”
The customer’s operating system and its malware state doesn’t matter. What does matter is what the bank is doing to protect the customer’s transactions from fraud. Where is this point being made?
Sadly, I think that Brian has consumed some “banker’s kool-aid”
. Notice that Brian didn’t even mention the bank by name in this post? In previous posts regarding online bank fraud like this, Brian at least included the name of the offending bank and would even comment about inadequate security on the bank’s part. No mention this time, other than to include a comment from the victim that the bank is disavowing responsibility.
The more we get distracted by discussing which operating system the online banking customer is using, the quicker the banking institutions will “win”, by convincing their customers and others – including the media reporting on the fraud – that this is all somehow the customer’s fault and not the bank’s responsibility.
The same thing happened with “identity theft” (btw, there is no such thing as “identity theft”). Financial institutions were able to distract/convince customers that their “identities were stolen”, and as a result, the bank fraud which occured was the customer’s fault, and not the bank’s responsibility.
Well-loved. Like or Dislike:
9 
3
Love your column!
I do agree with you that small business owners who choose to use online banking do so from a dedicated machine.
In addition to all your other suggestions, If you use a dedicated windows PC for banking, disable the server service for additional peace of mind.
I have to disagree with you on the impression of a Mac being safer to use than a windows machine. That is a false security blanket. That statement should be there are fewer exploits on the MAC platform.
Well-loved. Like or Dislike:
9 
2
Great job Brian! I totally agree with you. Using a dedicated non-windows OS laptop or LiveCD seems to be the answer. It just so happens that Microsoft has the big target on their back and also just happens to be the criminal attacker’s choice as the OS easiest to exploit.
Comments are entertaining to read also.
Like or Dislike:
4 
3
Mr. Krebs,
Keep fighting the good fight and ignore all the nonsense in the comments. In my mind, it is criminal that banks allow this ridiculousness to happen. If the computer/internet/online banking complex were a car, there would have been recalls and congressional hearings by now. Lawyers would be lining up, and CEOs would be issuing mea culpas. It is shameful that users are being blamed for an epic failure on the part of the others.
Hot debate. What do you think?
8 
5
“If the computer/internet/online banking complex were a car, there would have been recalls and congressional hearings by now.”
That is an excellent point! I suppose most people are under the delusion that everything that can be done (technically) is being done. That is wrong. A new form of hard drive could be created to protect OS code from infection. The OS code might only be updatable from a LiveCD. That could prevent online bot infection, but we do not have that, and people would have to buy it anyway. That is years away, at best.
The problem is not just the driver, it is car and the roads as well. For example, is the Microsoft Windows product, when operating in its expected PC environment, fit for the purpose of online banking? Such issues are commonly resolved in court, and damage awards get noticed and can trigger societal change.
Software upgrades can never offer serious protection, because when malware runs, it subverts the OS code. Only new hardware can offer an independent layer of security to prevent infection, and that is not available. Until then, booting from LiveDVD is a very good idea.
Well-loved. Like or Dislike:
7 
1
Flame wars!
Maybe everyone should read the headline.
There is no final answer in business nor is there any final answer in computers, only degrees of risk.
This guy, having a brain ^&*R, used a computer that had way too much exposure to viruses. The Mac was not used for such activities.
A clean operating system used for nothing but banking has a low prospect of acquiring a virus. Windows or Mac or Linux doesn’t matter.
But the point of the article is still the same. NO NO NO NEVER any deviations.
In that regard, that is why I use Ubuntu for my banking business, though Windows is my everyday operating system. I know when I am in Ubuntu, that banking is all it is to be used for. Email is not even set up, either. If a different operating system keeps your head on straight, then it is helpful. If it were a dedicated Windows machine for me, the temptation would be constantly there to use it just like the other Windows machine. It is obvious we can not trust the Internet and I would assert it doesn’t pay to trust yourself either.
Well-loved. Like or Dislike:
12 
1
I got blasted the last time you reported on this topic by suggesting the business owner moves to a Mac. Of course, the fan boys targeted me.
We don’t live in a perfect world. While it is wise to get a dedicated system for banking, I believe the condom analogy is always going to apply. Like Mr. Green, the one-time emergency will always arise. I still believe a Mac is going to help these business owners because I don’t believe that they are that computer savvy to begin with, especially in light of the ever-rising number of cyber criminals and their evolving expertise. Learning, knowing, and applying basic computer security is not the forte of the company’s boss; he is the boss so he can do what he wants, but not in today’s world. Even though, I am not our company’s boss or CFO, I still created a LiveCD to see what it was like. If Macs ever become the number one target of these types of attacks, then I would say, switch to a Windows-based system. (…) Business owners should see a switch to a Mac as a way of staying safe and holding onto their money right now, instead of waiting to see if there is a safer and faster method down the road. Linux – most computer users still can’t pronounce the word.
Hot debate. What do you think?
5 
5
You are pretty much right in what you said.
I’m not a Mac fanboy or Linux fanboy by any means..I mean I don’t use either in at work or at home. But as security threats keep growing looking for ways to get around security threats is smart.
Windows is a great OS. It’s a tool. And when you need a tool to do a job you use the best tool for the job. The job is online banking..and the best tool for that job is just about anything other than a Windows OS (as of right now).
Well-loved. Like or Dislike:
7 
1
” Using Windows for a Day Cost Mac User $100,000 ”
The title of this article is the problem here, Brian. Your advice for online banking is sound but if the title had stated ” Use of a Non-banking Computer Cost a Businessman $100,000 “, then it would not have set off the predictable OS debate.
I agree that Banks need to step up and provide more protection for small business accounts BUT, Mr. Green’s choice to authorize a MONEY TRANSFER on a computer that his children use to install who knows what was beyond DUMB .
Like or Dislike:
0 
0
Simple solution, so simple and brilliant that I should go tell my bank and charge them for the idea, but… Each bank issues it’s own branded live cd with a browser that home pages to their on line banking. Make it so it reboots the system after logging out from the bank’s web site. Duh.
Hot debate. What do you think?
8 
5
Let’s not blame it on OS. Today most of the users are on windows and we are seeing Windows based Malware and tomorrow you might see Mac and Linux Malware.
Let’s solve the problem at ROOT itself.
The only solution for this problem is Out of Band Authentication using Mobile Phone code. But may be Zeus can beat it as well just like RSA token. Apart from this, Banks has to setup to send mobile verification code when user adds a payee or modify payee information. This should alert the customer and could solve problems.
1. Mobile Phone authentication code for transactions
2. Authentication code for add, edit payee information
Like or Dislike:
1 
1
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
4 
16
For those interested in the general pros and cons, both technical and market-wise, of OS X and Windows here are two OS X security researchers, Charlie Miller and Dai Zovi, on the topic:
http://news.cnet.com/8301-27080_3-10318943-245.html
http://www.computerworld.com/s/article/print/9137992/Apple_missed_security_boat_with_Snow_Leopard_says_researcher
Like or Dislike:
3 
2
@pwn2own they are still taking away Mac’s as a prize so mac is also vulnerable.
In this case having tokens or (as i have for my private banking) a cardreader (that uses the chip on my debit card) would have stopped this attack as they would not have been able to transfer money a couple of days later.
A lot of things went wrong here. Would a RO cd have helped? Probably but even these can be compromised (in memory) the moment the person using it would also have used it for other activities. So you would need a very narrow band cd.
But even here you can be in trouble if you run the cd on a machine where the network card has been hacked (not very likely at the moment but who knows.
2 factor authentication would have prevented this days after the fact theft
Like or Dislike:
3 
2
Since the majority of people have mobile phones, wouldn’t switching from an older password based technology to a two -factor authentication technology (like RSA SecurID, VeriSign, SMS txt, etc .. ) pretty much fix this banking identify theft issue? That’s what I see at my bank and in my enterprise corporate environment.
Like or Dislike:
2 
2
“wouldn’t switching from an older password based technology to a two -factor authentication technology (like RSA SecurID, VeriSign, SMS txt, etc .. ) pretty much fix this banking identify theft issue?”
Basically, no.
2-factor has been suggested repeatedly, and has failed repeatedly. A running bot can be a man-in-the-middle inside the computer between the user and the bank. Any authentication whatsoever can be demanded, passed through, and once the account is open, the bot has full access. It can even change displayed values to represent the old amounts. Many different approaches are possible.
Perhaps some form of 2-factor would work, but what that might be is not at all clear. This is much trickier than it seems at first.
The real problem is the bot infection. A hard-drive infection persists until the OS is re-installed. No tools exist which can certify a computer as clean for online banking. That leaves most of us pretty much between a rock and a hard place, unless we boot from DVD.
Well-loved. Like or Dislike:
7 
1
What’s with this secrecy about how much money is in one’s account? Taxation office already knows what’s there (at least here in Australia). So you know how much I have in my account. Big deal. It’s not like you can get any of it. At best, you might get jealous. Or maybe you’ll have a chuckle.
Whenever I transfer money to a new account, the bank request I get an sms with a (onetime) code to verify the account addition. That code is only valid for a short period of time and can’t be used again. Any already existing account I transfer money to don’t require validation. So you’ve got a hot bot that can get into my account and transfer everything to my electricity supplier. That company is just going to write me a cheque for a refund as I paid to much. As soon as you try to add a new account, I get an sms on my mobile. Yes, in clear text, but only I see it. How would you go about sniffing mobile phone traffic to catch that sms? The bank doesn’t know where my phone is at that point, and sms’es aren’t exactly broadcasted across a network. My phone is my lifeline so when I loose that my phone number will be blocked pretty quick.
The bank also lets me control how much I can transfer at any one time on a day. Changing that setting requires, again, sms verification. Changing phonenumber, of course, requires sms verification on my old number first.
Looking at what’s available, I think my bank did a pretty decent job of securing my bank account and still managed to keep my life simple.
Like or Dislike:
3 
0
SMS authentication is better than nothing at all which is what appears was happening in the article above however they are getting past the SMS and there was actually a story about it in the Australian news recently. The primary method is contacting your phone company and forwarding all your calls including SMS’s to a new number, their number. The authentication with phone companies is as simple as googling some basic personal information. A small Australian hacking gang was exposed doing this. Under anti competition legislation telecommunications companies are forbidden to make it difficult for a user to switch between companies (as users were being abused) and so the telecom companies cant beef up this low level authentication, nor do they really care to and pay for the extra admin. The next attack is phone trojans which are popping up designed to steal the SMS’s. There are actually a whole host of other attacks with SMS outlined on the security page of my website, too many to list here but like I said anything would have been better than nothing.
Well-loved. Like or Dislike:
4 
0
Build two bridges over a canyon.
In the first bridge cut 5 man sized holes.
In the second one cut 45 man sized holes.
Which one would you rather cross? Which one is more “secure” ?
No one is saying Mac or Linux is 100% secure. It’s just more secure than Windows. If for no other reason than it only has “5 holes” rather than “45″ holes”.
Of course the numbers 5 and 45 are random..just illustrating a point.
Hot debate. What do you think?
8 
7
It is way too easy to fall for some hack online. People don’t even know what to look for, or what is possible / impossible. How many of us have to spend time debunking those chain emails warning about idiotic viruses that don’t exist, while telling people about what IS real and floating around?
I know it’s popular to say that Apple’s products are not as prone to hacks, but the PWN2OWN challenge has shown that, in fact, they are rapidly becoming very popular in the hacker’s world. Safari and the iPhone have both fallen easily. Android and Chrome, not.
Which is why I’m excited about ChromeOS. There just are too many websites hosting malicious content – either intentionally or unintentionally.
Just yesterday, we learned that the supposedly tested and secure CNET downloads, was in fact hosting malicious software that targeted Macs: http://news.cnet.com/8301-27080_3-20006502-245.html
ChromeOS can’t come soon enough.
Well-loved. Like or Dislike:
8 
1
What about using Unbuntu in Sun Virtual Box to access online Banking? Fire up the virtual box to access the bank site and then closing the virtual box when finished. Is that as secure as what I have heard?
Like or Dislike:
0 
0
No, If the base OS is compromised, then you are screwed. There is an interesting project called Qubes http://qubes-os.org/. The idea is that you trust the base OS because you can’t modify it. Then you run all your apps in security VMs that are all seperated from one another. So you can do general surfing in one VM, Write up a confidential document in another, etc. If malware is on the base OS though, the base OS has full control over all VMs, and is therefore susceptible. If you can build an OS that you can trust the base OS, which is what Qubes is doing, then you should be ok.
Well-loved. Like or Dislike:
8 
0
I’ve said this before in other articles of this type.
Why can’t the banks set up a white list of vendors for a business customer? Then, if a number of transactions are presented to the bank from unknown vendors, have the bank put a hold on the transactions until an OOB authorization can be obtained. It may be snail mail, a cell phone call to the CFO/CEO.
The credit card companies can ascertain that a CC transaction is unusual (by location, amount, etc) and contact the cardholder and either decline the transaction or at least delay it while the CC company contacts the customer by phone. This is because the CC may be on the hook for the amount fraudulently transacted. Make the banks responsible for at least some of the amount and I’ll bet you will see a difference in their response.
Well-loved. Like or Dislike:
14 
0
The company I work for, their bank, actually does use a white list. Money can only be moved out of the company’s account to a pre-approved account(s) and payments can only be made to pre-approved vendors.
Adding new vendors requires some form of approval from our CFO.
Well-loved. Like or Dislike:
12 
0
So the pre- approval is done prior to every additional payee? A larger company with employee turn over (fast food, convenience store, etc) would need to contact the bank every time they hire and fire to change their payroll batch.
This puts a lot of burden on the customer and will not save the bank much over the cost of a true transaction authentication system.
Like or Dislike:
2 
0
While its interesting that if the user would have used his Mac over the window none of this would have been an issue. The biggest thing about this is that the company had policies in place to secure against this online fraud, using the company laptop that is secured to access the information. The owner of the company violated these policies and got nailed. It is a shame that it happened, but there are reason why security policies are in place. The new policy is great, until the owner decides to bypass it again, hopefully there is something with the bank that will allow more then the owner calling and asking for a variance on the IP that can access the account, otherwise this will happen again.
Like or Dislike:
5 
2
It wasn’t the PC that lost the person the money, it was the decision to use a computer that was infected with something that could steal the credentials.
We are sure programmed every day by articles like this one to defer blame for our actions onto something/someone else. Stand up and take responsibility for your actions, I say…
Oh, and don’t pay any attention to the keylogger attached to the computer running the Mac, or Windows, or LiveCD…
Hot debate. What do you think?
6 
11
“We are sure programmed every day by articles like this one to defer blame for our actions onto something/someone else. Stand up and take responsibility for your actions, I say…”
Succinct and well said. Couldn’t agree more!
Hot debate. What do you think?
3 
7
In every one of these banking thefts that I have read about to date the victimized organization either lacked or incorrectly implemented dual controls as they pertain to their finance team (including the municipality in the mid-South from your WP days). To oversimplify, two employees are required to transfer funds out of the bank account – one person initiates the transfer and another person approves it.
There’s a reason why dual controls are considered a best practice.
Like or Dislike:
4 
3
Let’s face it: Windows IS insecure. Period, end of story. If it weren’t for Windows there would be no million-strong botnets and 90% of the cybercrime that plagues us today simply wouldn’t exist. It’s true, and claiming otherwise is an exercise in willfully ignoring a well-documented history of Windows-based exploits.
Hot debate. What do you think?
9 
13
I think the demand for criminal botnets is great enough, that given a situation where there never was windows; Botnets would find a way to thrive in a different environment.
Rooting a system can take place on any OS. Once it’s rooted you can do anything you want. Criminals wanted free distributed computing. They would’ve got it without windows in the picture.
Hot debate. What do you think?
4 
7
Uh sure… I use Windows every day for everything I want and haven’t ever been infected with a virus or trojan…
What are you going to say when there is enough market share to encourage hackers to create trojans for Mac’s?
As I have said before, the problem isn’t with the technology, rather it’s with the users… Take responsibility for your actions…
Hot debate. What do you think?
9 
8
Exactly. Users are the weakest link. That’s why social engineering is the primary means of attack. And it works just as well whether your on OS X, Windows or Linux. If you do crazy things, and lots of users do, then it does matter what OS you are on.
Hot debate. What do you think?
4 
4
Fact is, more Windows machines are compromised than are Mac OS X, or Linux machines.
To be logical about it, there are likely *numerous* causes for that. One likely cause is that, in the countries where many of the ‘bad guys’ live, there may not be a lot of Macs, or Linux boxes. The bad guys are trained on Windows. And why should they learn either of the other two choices? They’re doing quite well with Windows, thank you very much.
We really don’t know how long Macs and Linux will be relatively safer – with an 85% share, or more, seems like Windows could remain a lucrative target for a long time.
Does anybody *know* if all, or most of the exploited businesses were on XP, or were there any Vista, or Win 7 PCs?
Hot debate. What do you think?
4 
8
It’s not about the OS he was using. He used his household computer instead of a secured business machine. ANY OS can be compromised. You want to know why you see more stories of windows machines? 90% market penetration is why.
Give his kids a Mac to use and they’ll find malicious software somehow. Kid’s do this. They will follow any lead to what they want, even if it’s a keyword generated malware page. Call it innocent curiosity. They don’t know any better yet.
Mac’s don’t magically protect against over trusting users. There isn’t a complete absence of malicious software for macs. What you don’t see is any popular exploits that worms can spread through, but this is most likely due to the market penetration reason. What you do see is hackers convincing people to run code or divulge information that gives them access. This is how most machines are infected * on any platform * and is only avoidable by following strong security practices.
Well-loved. Like or Dislike:
12 
7
I absolutely agree with you here:
“Mac’s don’t magically protect against over trusting users. There isn’t a complete absence of malicious software for macs.”
Having taught logic to undergraduates, though, my perspective is a bit different. If all the cases of bank fraud had been on computers painted green, I’d still paint mine another color.
Even if I don’t know precisely what the cause is, or if there’s a causal link at all, seems to me that it is wise to take the caution.
We do know that .exe files don’t run on Linux (or Mac).
I’ll ask again – does anybody know if the Zeus trojan, or any other malware specifically associated with the cases of bank fraud in question, runs on Win 7, or Vista?
Are either of these two MS operating versions ‘another color’?
Hot debate. What do you think?
6 
6
“I’ll ask again – does anybody know if the Zeus trojan, or any other malware specifically associated with the cases of bank fraud in question, runs on Win 7, or Vista?”
That seems like an odd question. The motive for all of this is profit. Something like Zeus can be made to run in Win7 or Vista or Mac or even Linux for that matter. The real question is what target will be most profitable, and that answer will direct both expert development and distribution.
Much as hawks can be expected to follow pigeons, malware authors will follow their marks. If and when it becomes more profitable to attack Win7 than XP, Win7 will suddenly become the major target.
Systems which support infection (i.e., those which boot from a hard drive) will always be much more profitable than those which do not. Once a system is infected, those bots stick around for session after session, until something worthwhile happens by.
It is possible for a bot to run even in Linux loaded from DVD, but that opportunity only lasts until the end of the session. And if there is nothing to steal by that time, the chance for profit is gone.
Hot debate. What do you think?
5 
3
Yes. The newer version of Zeus (revs. 2 and 3) are designed to run on both Vista and W7. Older versions of Zeus also would run on limited user accounts, if I recall correctly.
Well-loved. Like or Dislike:
6 
2
Some people are protected by a ‘Reality Distortion Field’. Crooks love ‘em. There’s no better target that someone who grossly underestimates their risk exposure.
Like or Dislike:
4 
3
Everyone trying to rationalize why is missing the point; the arguments don’t fix reality.
The only thing that matters is the probability of having your account emptied given that you are running a particular software. It’s a number, and it can be compared between Windows, a LinuxLiveCD, and OSX.
Sure, other measures of care will reduce that probability even further. But I would suggest that there is NO other assumption other than “runs windows” that makes enough difference to matter.
Hot debate. What do you think?
7 
6
Firstly, the the argument about operating systems is quite valid.
The Microsoft Platform is inherently, by design, unsafe to use in a secure environment.
The reasons why are simple, it is a legacy feature of it’s monolithic design.
Unix based systems, however, are both modular by design, as well as true multi-user, multi-tasking, systems, by design.
This allows for real privilege separation.
While I use Linux based systems, I also use the Clam-AV virus software, running as a privilege separated process, while I operate within a limited privileges account.
Unlike other operating systems, I can actually do this, without issue, as by design, Unix based systems were built this way from the ground up.
The use of a “Administrator” account in Unix based systems, for normal use, is heavily discouraged, as is is unnecessary.
As for the virus scan, it is done to scan my own inbound email for virus’s.
This is essential, when receiving email with attachments from third parties, as while I am proof against attacks, others aren’t.
While the virus/exploit/etc won’t affect me, it will affect others, should I forward it on, unaware of it’s payload.
As for the banks, I am also a Business person, with business accounts.
My bank provides a service where any single amount over $500 dollars, or any total daily amount over $2000, requires an authentication.
This authentication is delivered via SMS, NOT EMAIL, to my cell phone. Although it could be sent to any device that supports an eight to sixteen character alphanumeric key.
Without this key, the transaction won’t complete.
Regardless of whether I use telephone banking, online banking, or over the counter banking, this authentication key is required.
Yes, it slows down my big dollar transactions, by about five to ten minutes.
However, since using it, I have had several declined transactions, whose origin was unknown.
My bank is happy, as they (modestly) charge this as an extra.
I am happy, as I no longer worry about large amounts or unauthorized deductions leaving my account.
It’s a simple system that works.
However, to ensure that it can’t be easily exploited, my bank insists on not sending the key via email, in plain text.
While you could vary the delivery method, this two part system is as secure as you can get, for the cost.
My experience is, so far, is it stops all forms of deliberate fraud and other third party “error”, dead in it’s tracks.
To exploit such a system is not infeasible, however, to find those responsible would not be very hard for most Fed’s.
Such a system protects both the Bank and the Client from unintended consequences, as well as being able to be “tolerated” on unsecured systems.
Not that I use Windows anything, for anything much.
As for the spurious claim that Windows is a bigger target, simply because their are more Windows based systems, FALSE.
Next time, check Netcraft, and see what the ratio of Windows Systems to Unix systems are, for what runs the Internet.
According to the theory of total mass attracts greatest attention, Apache Web Servers and Unix based Server systems (LAMP stacks) should be the most exploited target’s on the Internet.
Sadly, we know this not to be true.
Well-loved. Like or Dislike:
11 
7
Well, does anyone think the banks will change their behaviors if they’re NOT financially accountable for the losses? I’m not going to debate the pros and cons if they should or shouldn’t bear that burden, but that’s the real-world talking.
Or do you think the users will change their behaviors if they’re not liable?
Like or Dislike:
2 
2
I cant speak on behalf of the banks in America but I was shocked when I found out how strong online banking security was in Indonesia. Many of the banks there issue electronic tokens with transaction authentication built in for online transactions, the cost of implementing this would have been enormous. I couldnt understand how a developing country could afford such measures until I was informed that there is very little business or personal liability laws regarding fraudulent online transactions in Indonesia. A hacked account is the end user’s bad luck. So it appears legislators can have a strong effect on the behavior of the banking system with regard to IT security.
Well-loved. Like or Dislike:
7 
2
Intuit? Are you reading this? If you want to stay relevant, you had better read this a few times. If not, I can always turn my customers on to GnuCash.
Like or Dislike:
4 
3
The problem with using Windows is two-fold. One is the oft-repeated ‘they have a bigger market’. The other is that Microsoft has a lax attitude towards security. The Linux community considers a bug that is theoretically capable of resulting in a remote root exploit a serious security problem that needs fixing NOW. Microsoft, on the other hand, often waits until there’s a proof of exploit before they take action. To add injury to insult, they then wait until the next patch day to release most fixes. This means that users can be left with a 0-day exploit being unpatched for up to a month (sometimes a bit more) if the crooks time their exploits properly.
Hot debate. What do you think?
6 
6
I agree, but the difference in attitudes is even more than you have stated.
The Linux community takes pride in their software. A security bug is a personal failure and must be fixed soonest. Bug discussions are on open mailing lists or IRC channels. They had a patch for the Ping of Death in 2 hours 35 minutes. (See http://insecure.org/sploits/ping-o-death.html)
To Microsoft, a bug is a public relations problem. They have cowed most of the security researchers and anti-virus companies into not revealing bugs to the public, no matter how long it takes MSFT to release a patch. When a fix actually appears in a Patch Tuesday, it often is not mentioned, or the bug is only admitted when the patch is ready. Huzzah! That does wonders for their response time numbers, regardless of their customers’ actual vulnerability windows. Again: PR trumps engineering at MSFT.
Hot debate. What do you think?
5 
6
Well it looks like Microsofts army of Fud is swarming your story. Its to be expected. Fop some its a true love of the virus infested, malware plagued, kelogger loving os that is windows. For others ints based on cash. Dont you just love astroturf.
I stopped using Windows for anything a long time ago, but before I did it cost me a few thousand thanks to a keyloger.
Hot debate. What do you think?
5 
8
I still use Windows but as a Limited User which I find has become much easier with Win 7. I haven’t seen any references to Limited Users lately in your blog. Do you still advise their use?
Like or Dislike:
2 
3
You are crazy not to run as non-admin most of the time. It is vastly easier to do in W7 that earlier versions of Windows. I have found the experience essentially the same as running on a Linux OS. In part this is because Microsoft has been forcing developers to write software for the standard user. Up until recent they had to deal with a huge legacy of code that assuming admin rights.
They also have a cultural problem weaning Windows users of admin rights. This may be why the default install setting for W7 is Admin Approval Mode. If you install W7 you have to manually setup a standard user account. But Microsoft sees AAM accounts as transitional to getting all users to be running as standard user by default.
For more see Crispin Cowan’s 2008 PDC talk:
http://channel9.msdn.com/pdc2008/PC51/
Like or Dislike:
4 
2
If you’re a developer you still need to be logged in to Windows as an administrator all the time or else you are just wasting your time. So developers STILL need to get another computer for their web surfing and email.
On Linux you can just sudo for the rare moments when the developer needs to install something to test it, and developers can log in as normal users.
Like or Dislike:
0 
0
While I get what the argument is about here, I think that you all forgot to mention that UNIX can be exploited just the same as windows, no matter what Unix it is.
http://en.wikipedia.org/wiki/Python_%28programming_language%29
You can make the same exploits for UNIX, it is even recommended to begin learning writing exploits on Unix with languages that can be using for windows as well.
The reason windows is less safe than Unix is mostly statistical, while Unix does have some basic advantages in the way it handles files and user permissions but they aren’t too important in my view, There are billion exploits for Unix you just don’t see them very often cause world+dog have windows!
Hot debate. What do you think?
3 
5
here check this out http://en.wikipedia.org/wiki/Buffer_overflow
you can exploit x-box with the exact same thing that would be used on windows or Unix
Like or Dislike:
4 
3
and for the nerdier among you:
http://traversecode.com/2010/03/08/from-pdfexploit-to-zeustrojan-subject-steals-bank-credentials/
Like or Dislike:
4 
2
Security is about risk treatment. User should pick the method that is save enough for them now and in the very near future. Only the very near because it is easy to make a new switch.
The what if in five years, the who is really deeply fundamentally save, the if it was not for…, the they did really improve and maybe if they continue, the philosophic questions, we can use at the bar.
Like or Dislike:
2 
2
I’m getting a bit “tired” of the OS bashing. It doesn’t matter that it was a Mac, or Windows, linux, Google OS, OS2, System7, BEOS, HPUX, AIX, BSD, freeBSD, netBSD, openBSD, or an abacus.
There isn’t “one” Operating system that is going to make your world “secure”. I’ve spent years of my life proving that you can secure any of the OS’s that exist. Mac is no better/worse than any other for security flaws, and now that it’s the “New Microsoft”, it’s only going to get worse for Mac users. (see http://www.scribd.com/doc/19850499/FREE-Pr0n-Making-the-Switch-to-Linux)
** Note – SFW, I wrote the presentation in 2008, when switching to linux, and note slide 6, and why I didn’t switch to Mac)
While some of you think that makes you “safe”, you’re in denial.
Paying attention to your bank statements, requesting two factor authentication tokens from your financial institution, and changing your passwords every 60-90 days will HELP, but it won’t 100% prevent online fraud, or theft.
Being an informed user, will also help. Learn , ensure that you know how it works, and don’t blindly install software without verifying it’s authenticity. If you don’t know how to do that, Learn.
I’m tired of people whining about losing their $$$, when they just blindly expect things to be secure, just because it is “convenient”.
Look people, get a clue, the banks aren’t going to secure your transactions, if you aren’t going to secure YOUR transactions. The banks really DON’T care about YOU, they care about their bottom line, and keeping their shareholders happy. It doesn’t get any simpler.
If you don’t understand that, then perhaps you should put your computer and back in the box, and send it back.
That’s my 2cents, YMMV.
Well-loved. Like or Dislike:
9 
4
@dc0de,
>Look people, get a clue, the banks aren’t going to secure your transactions, if you aren’t going to secure YOUR transactions. The banks really DON’T care about YOU, they care about their bottom line, and keeping their shareholders happy.
The banks could at least give people the means to fully secure their accounts against unauthorized transfers – such as an out-of-band method to manage a whitelist of authorized wire- or ACH- transfer accounts.
Like or Dislike:
3 
0
David may be at fault here. Most companies have a policy to describe what and where you can access company resources. Blaming the OS or the family will not change the fact that IT secuay depends on humans to be effective. A better option would have been to use a smartphone to access the account. If he had done so, it is not likely that this problem would have happened.
Like or Dislike:
2 
0
There is already a solution to this type of incident, unfortunately it’s not been fully rolled out by banks or card manufacturers. On a bank card chip there are numerous ‘applications’ for the various functions it can do (ATM, debit, authentication, etc..) one of the applications available generates unique, contextual codes that you use instead of passwords and to authenticate transactions. It uses various different aspects of the card profile and other random and fixed hidden values. This functionality is usually accessed through a dumb terminal which looks like a calculator and basically just adds a keypad and screen to your card (you can even get some cards with this inbuilt!). In the UK it is being rolled out by some banks as a PIN sentry, the beauty of it is that since the terminals are dumb any banks card can be used in any manufacturers reader. The codes it generates are one time only and there are different levels of code depending on what you are wanting to do. In this instance to generate teh correct code you would need the PIN, the amount to be transferred and details of the receiving account, as well as physically having the card, making this kind of attack, and the whole profitability of this type of trojan, pretty redundant.
The only problem is the usual two-fold bind, first, cost – it’s not significant but even at $1 per terminal it would cost millions of dollars to roll out for a medium sized bank, more importantly tho, the second bind is people, they are stuck in their ways and as such are deeply mistrusting of a new tech like this that requires them to put the PIN into something that seems so light and potentially open to security problems (it’s not though, there’s anti tamper tech inside that screws up the number generation if it gets opened and the device itself has no memory), they also see it as an infringement on their freedom, having to have one of these units around to do internet banking, or even shopping online if it’s used to its fullest. Unfortunately this is probably the best chance we have of beating the hackers and malware, it just needs people to accept it and enough banks to roll it out…
Like or Dislike:
0 
0
You are referring to the CAP readers (Chip and pin) operating on the EMV standard. I might be able to give a little more detail on the method and why its not being adopted broadly. Regarding the cost a blank EMV smartchipped card actually costs itself around $1 each, the banks end up paying closer to $2 per card by the time its programmed, printed etc and that’s just for the basic cards (In million+ orders), I have heard the readers themselves cost at least $10+ for the simplest models each in the quantity of millions. This is why Asia, Africa and South America will never adopt EMV for online transactions and why America is squealing about the prospect.
The problem with the online OTP codes they generate is like the RSA tokens they do not stop the trojans attacks or even oldschool phishing. They do have an unused application for doing transaction authentication which none of the banks have enabled that I am aware of. The reason its generally unused is because the demonstrations ive seen require at least 40+ digits of transaction authentication information (pin,challenge code,response,acount destination,transaction total,resulting otp) to be entered into both the device and terminal by the user for any transaction. The banks know this wont fly so they primarily use it as a type of challenged OTP (the user needs to enter 6 or 9 random digits from the website into their device which hashes this with the secret key off the card to make an OTP) which is just as vulnerable to trojans like Zeus.
My own method PassWindow does a flexible OTP and transaction authentication which only requires the user to enter in 6 digits to perform and it does it at practically no cost of implementation also it can do nify things like include ip info into the transaction authentication at the server level without requiring any extra action by the user. The user also doesnt have to carry around a calculator sized card reader. There is a bunch of whitepapers written about CAP by Ross Anderson of University of Cambridge, they are quite sobering.
Like or Dislike:
0 
0
“This is not about OS “code quality” per se, but instead about market share. In general, malware is about profit, and encounters machines at random. When is it going to be more profitable to attack Macs or Linux if 91 percent of browsing occurs under Windows? ”
When will people stop making the discredited market-share argument? Mac OS X has a much bigger installed base of machines than Mac OS 9 ever had. There were more than 35,000 known Mac OS 9 viruses. Were there 400,000 viruses for Windows and only 1200 for Macintosh, the market share argument might have some traction. The fact that there are no known Mac OS X viruses and the fact that Trojan infections of Macs in the wild are virtually if not actually unknown, this market share argument is specious.
As to the “profit motive,” as shown by this article, Mac OS X user tend to be more affluent than their Widows PC counterparts and they tend NOT to run virus protection at all. The fact that there are MILLIONS of them belies the idea that they are totally ignored because because they do not have the market share.
This is the Market share argument analogized to homes. 91% of the homes in any town are middle class homes and most of the owners have some kind of security system protecting their homes. 7% of the homes are mansions with no security systems. The crooks ignore the mansions because there are so many middle class homes with security systems from which to choose. RIIIIIGHT!!
The fact is that most versions of Windows, especially versions older than 7, are proprietary, monolithic and poorly coded. Mac OS X is based on an open source microkernel that presents far fewer opportunities for attack, hence raising the effort and knowledge bar of the virus author. Microsoft learned much from past mistakes but they are patching old code rather than redesigning.
Like or Dislike:
3 
3
Most malware depends on social engineering. As far as I know OS X users are just as easy to engineer as Windows users but no doubt some one will make some claim to the contrary.
Like or Dislike:
3 
1
Social engineering, OK.
Just have trouble imagining an OS independent attack. Beside a hoax. And the others will only work on the aimed OS/application.
Like or Dislike:
0 
0
“When will people stop making the discredited market-share argument?”
Speaking for myself the analyst, I would stop using any argument which does not improve insight on reality. Currently, what I call “dominant-profit” (DP) model seems the best explanation. Although strongly related to raw market share, the insight is that malware is built to exploit the *single* most profitable target (generally speaking). Claiming that as “discredited” requires actually understanding the model.
“The fact that there are no known Mac OS X viruses and the fact that Trojan infections of Macs in the wild are virtually if not actually unknown, this market share argument is specious.”
The DP model is *not* about market share per se, but instead *maximum profit*. DP specifically predicts that attacks will *not* be proportional to market share, but instead will focus mainly on whatever makes the most profit. Consequently, DP is also *not* about variations in the secondary OS’s. Why would an attacker choose any approach other than the best profit?
“As to the “profit motive,” as shown by this article, Mac OS X user tend to be more affluent than their Widows PC counterparts and they tend NOT to run virus protection at all. The fact that there are MILLIONS of them belies the idea that they are totally ignored because because they do not have the market share.”
That greatly misunderstands malware distribution. In general, malware appears at a machine at random. It must then deal with whatever machine it lands on. 91 percent of the time, that will be Microsoft Windows, so it had pretty much better be ready to run in a Windows OS and then infect and subvert the Windows system. (Those who would avoid general malware distributions should not run Windows.)
Once the malware is running on a Windows system, the botmaster can investigate the hard drive and make decisions about which user to target. At this point, the opportunity to attack a Mac has long passed.
Specifically targeting a particular company or individual from the beginning (thus being ready for the Mac they have) can be successful, but involves a great deal more hands-on work. Since making profit by simple distribution is easier, targeting is mainly used to acquire information which is otherwise unavailable. This is called intelligence.
“The crooks ignore the mansions because there are so many middle class homes with security systems from which to choose. RIIIIIGHT!!”
The analogy is poor. For one thing, burglary is generally targeted, at least to some extent, and is not random like most malware attacks. For another, to a large extent, a house is a house, and burglars do not need completely different techniques to exploit where they find themselves. And, except in the movies, few burglers enjoy the benefit of direct broadband to the evil genius, with new tools and directions for internal attack immediately available without having to carry them in. Burglary is just not like malware, and so provides poor and misleading insight about what to expect from malware.
“Mac OS X … presents far fewer opportunities for attack, hence raising the effort and knowledge bar of the virus author”
This misunderstands the business of malware development. It is not necessary for each virus author to top the bar. Instead, a dedicated and well-paid team of computer experts develop a working approach. That approach can be quickly adopted and replicated by many malware teams no matter what their skill level, for a price. Unlike normal programming, even extremely complex attacks have a known and testable goal, and thus deliver value for price.
Well-loved. Like or Dislike:
9 
2
Still what should be the lessons to learn for an user managing it’s account via the Internet . I understand risks are seen as a function of impact, threat and weakness.
For impact, private users may be better legally protected than small companies but impact will probably be the same for different platforms. Still private users must also track their account and may have to prove there loss on the basis of possibly manipulated electronic data, what may become harder.
Even with a not so nice track record for MS (administrator rights on the Internet, integration in the OS of the most exposed component, the browser, long existing zero day maneuverability’s) lets suppose that all systems have the same level of weakness. (Excluding however bootdisks, independent of the OS, like they can not be infected by previous Internet use).
The third factor is treats. It looks we agree there are now more threats for a particular system. What would we do in similar situations? Would we discuss why a route is less save and take in to account that, in a few years it may well change? Or would we simply take another route for now. I don’t see why risk treatment should change even if the results may put in question the use of a frequently used system in certain critical situations and if that may for some be seen as unjust.
It is of course nice that pages are spend pointing out it is not the error of the guys at MS. But who does at the same time not mention to the reader/client the countermeasures and alternatives takes in my view a heavy responsibility.
When it comes to alternatives and countermeasures costs should be compared together with the change in risks that can be achieved. What’s the cost and the effect of a bootdisk, what is the price of an other OS on a separated partition, what is the price and the effect of patching, etc.
As a bank I would distribute a verified bootdisk to my clients. That by firewall would only give access to the the site of the bank allowing use of the clients accounts. And perhaps access to a client mailbox. Where the client could, if needed, send some data to in preparation of his transactions. But it seems the possibility’s of a big part of the of the software are not really well known. For home-banking I think it is in the first place the bank responsibility to offer a complete secured system and it is the bank that should pay back if it goes wrong.
Like or Dislike:
1 
0
If Mac gets a majority market share, I’m sure there will be plenty of exploits targeting it, and some will be successful. And there will have to be Mac antivirus programs to block/remove them.
But a question to the people who know more about operating systems than I do: Will we be talking about Mac rootkits then? Does the Mac operating system allow a program to alter its system files in that way, whether the user authorizes it or not?
If I can keep an antivirus program up to date and remove any malware that has been installed, I’m still a lot better off than I am with Windows, where a rootkit can alter system files in such a way that it can only be fixed with a reinstall (done using the Windows CD that didn’t come with my laptop, of course).
Like or Dislike:
2 
0
just Google a bit and you will find plenty of root kits and Trojans for mac.
If by some way your mac will get exploited and you get a backdoor it isn’t going to ask you for permission..
mac backdoor :
http://www.f-secure.com/v-descs/backdoor_osx_iworkserv_a.shtml
http://www.net-security.org/malware_news.php?id=953
A hacker with enough skill to create backdoor exploits and trojans can make them for mac in no time, this is a fact of computer science and no fanboi can deny it.
Like or Dislike:
3 
0
In the eighties, Mac fanboys didn’t use to laugh so much at windows users, about the virus.
Like or Dislike:
0 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
0 
6
Whew. What a long read. QQ, you didn’t read very carefully about the Mac BackDoor (or maybe you did):
http://www.f-secure.com/v-descs/backdoor_osx_iworkserv_a.shtml
It states: “Upon execution, the backdoor checks if it is run as administrator(sudo mode) by using ‘_geteuid’ and ‘_getpwuid’ API and then testing the output for ‘root’.
If it is not executed with sudo rights, it will just exit.”
It will only install with no questions asked if you are running your Mac from your administrator account. What are you doing that for? You are supposed to create a normal user account and use it for your every day usage. But if the misconception that Brian’s colleague Rob at the WP has is correct, 85%+ of all Mac users are probably using their Macs run from their administrator account. What are they doing that for? Bad boy/girl – DOWN!
As for not thinking the file permissions of Unix / Linux don’t provide a lot of protection, they do! Microsoft couldn’t wait for IBM to put file permission flags and rushed the HPFS which became the NTFS out the door:
http://www.securemecca.com/public/ChmodTable.txt
It is one extra hacker bump that the hackers have to find a way around it. I just wished NTFS had something similar. What use is there in storing where a file comes from in the file system once it has taken the machine over?
I appreciated all of the URLs but one of them was stale. But the most compelling statement of all was from Jim: “I stopped using Windows for anything a long time ago, but before I did it cost me a few thousand thanks to a key-logger.” Don’t blame him – he didn’t know at the time. Each additional hacker bump you can put in the way will be just one more thing that will deflect the attack away from you. Changing to a different less prevalent OS can help but not if you do stupid things like installing screen savers (any), untested software, running unsafely, or taking the default that Ubuntu has picked for their $PATH (search for sudo but the blog exists so I can report abuses to blogspot):
http://securemecca.blogspot.com/
The problem is complex, and although big businesses have staff that handle their computer security needs, the mom and pops that are the back-bone of most countries need some more protection like that given to a normal consumer. They have nobody but themselves and quite frequently the software they must use to run their businesses only runs on Windows. I hope they follow Brian’s remarks and implement his solution. One final thought – what are the crooks using that create this stuff? I strongly suspect that for their banking transactions it is exactly what Brian proposes – either a Windows machine dedicated to doing only banking or a LiveCD. Take your pick. I will say that quite a few of the hacker’s binaries I analyze every day do NOT use a normal Windows development system (read, some of them use MinGW or something else like that), so at least some of them are NOT using Microsoft Windows as their OS of choice.
Like or Dislike:
2 
0
Well thought replay, about that mac backdoor…
Normally you are correct but lets imagine situations where such a backdoor will be used:
You have a big company/army/government or what ever fits your picture, all your computers have Mac OSx and the majority of your co-workers have lower privileges but some have admin access for reasons that are not relevant.
Say one of those co-workers with the admin access decides to have a to install the backdoor to steal money or info he would be successful.
What I’m saying is that this admin access issue isn’t going to stop anything in the long term.
Win 7 and Vista(in vista it is pretty annoying) have this privileges feature as well, it is not exactly the same and while it contributes to the overall security and as such those OSs have lower infections rate, it is nothing to worry about for skilled hackers as evidence there is billion malware for Win 7 that will bypass the admin access.
Besides this is a story of pure bad luck, and that’s how I explain it since there is no software explanation here.
I could much the same tell you a story about a guy who drove a Toyota all his life and then one time he decided to go for Chevrolet and died in a car crash…and then write in big title
“Chevrolet cost a Toyota fanboi his life”
Obviously it is not because of the car but rather the situation.
Like or Dislike:
1 
0
One of the more disappointing articles, in terms of headline and tone, that Brian has produced IMHO.
Reliance on security by obscurity, as is implied in the headline, provides a false sense of security. Mac OS users with no security nous, and a feeling they’re not susceptible to trojans and the like, are likely to become targets.
Not too farfetched to think one the victim’s kids downloads a screen saver with something like http://vil.nai.com/vil/content/v_267638.htm is it/
Like or Dislike:
1 
1
You’re right: I should have known this would turn into a “my operating system is better than yours” fight.
This story is the latest in a series of about five dozen on the scourge of e-banking fraud, and the steps that small business owners need to be taking to make sure they’re not the next victims.
Using a Mac for online banking is one of the alternatives to Windows that I have consistently recommended, in addition to a Live CD and lastly a dedicated Windows computer that is only used for online banking (not necessarily in that order).
This article doesn’t say Macs are impervious to anything. It only suggests that *at the present* business owners are orders of magnitude less likely to have their online banking credentials stolen by some kind of Mac malware than they are some kind of Windows-based malware.
This recommendation makes no prediction about whether that will remain the same forever. In all likelihood, attackers will start going after Mac users with malware more. But just because they might one day do that doesn’t make this a less smart alternative for today.
Again, it’s pretty clear to me that none of the victims I’ve written about care about the Mac-Windows-Linux-WhateverOS debate. They want to know what they can do now, today, to make sure their banking online is very quickly much more secure. They also realize waiting for the banks to secure the platform is not an option.
Like or Dislike:
3 
2
You are totally correct but you take the journalist side, the people who work to secure systems should very much consider this OS debate depending on client needs.
People at homes should also consider it and the difference between mac and windows isn’t only about security, say i’m a gamer I do care about security cause I don’t want my World of warcraft account stolen but I also wish to use many other programs/hardware that aren’t available for mac, or I may be used to windows and so on…..
With all the good security intentions regarding banking, I still think that if some 1 got a mac for those reasons he might regret it, and don’t forget that this is just statistics which call the malware stream.
Those statistics can change by the will of hackers, programing trojans for Mac requires the same knowledge as programing trojans for windows, after all there is no IE 6 as the most common browser in mac+it is possible to make cross platform malware that targets 3rd party programs, and this is the real threat since it is those IE6 and Adobe exploits that leading to Zeus and losing a bank account.
Updating browsers and PDF readers is cheaper than going mac it is also a better advice to deduce from this story here IMO.
You could be very safe with windows too, some kids computer full of malware isn’t exactly a representing case and i’m not going to base any recommendations on that cause it is misleading.. a fully updated Win 7 with AV and firewall with a user that heard about malware is rather safe.
I used to admin tech support forums and malware forums for few years, and in my not so little experience, the majority of users who complain about infections are using IE6/7(cause they don’t like IE8 or w/e) windows XP with no service packs or SP1 and rarely SP2(usually afraid to update cause of illegal copy of windows) and they don’t care about security cause “no one will want to steal their stuff” and uninstall AV cause it ‘lags’ their games. This just shows why statistics are so misleading in this debate.
http://www.blueridgenetworks.com/products/appguard.php
Look at this program prevents any unauthorized changes in the computer, if you run with this all the time you are safer than with mac, you can put that on kids computer and he will never install anything malware or not, 25$ instead of 2000$ per mac.
I haven’t tested it myself but it should block anything unless you installed it after you have root kits.
Like or Dislike:
1 
1
And your advice is spot on except for stopping short of doing it a little bit better with the Mac or any other sudo oriented ‘nix system except for the LiveCD versions.
I advise creating three users for sudo oriented (Ubuntu / Mac / et al) systems with the OS on the hard drive. Your bank only Windows machine and LiveCDs will probably be a little more secure as long as you resist the impulse to read email, etcetera and use them only for doing your financial transactions.
Here are the users a Mac owner needs to create, and from what I have read almost none of them are coming even close to doing it:
1. Your administrator user: Now set it aside and don’t use it for anything except for administration and NEVER head a browser in that account out to the Internet at large. Use it only for administering the system. If the browser must head to Apple or your AV system or something else that is security related, that is fine. Everything else is taboo. But if I am right and I think I am, over 95% of Mac users are using this account as their one and only account in the smug belief that just using a Mac makes them invincible. All it makes them impervious to are Microsoft Windows binaries. You are still spied on (tracked). You also aren’t immune to Mac binaries. There is less of them right now but that can change. And unlike me needing two sets of binaries for my Ubuntu and OpenSuse systems (library incompatibilities) of the same programs you are pretty much assured some homogeneity of what ever Mac Trojan is coming at you. They will probably work on any versions of the OS-X that were designed for the Intel architecture.
2. A normal user: Use this one for your general purpose use. This one MUST require you to type the sudo password to install out of the ${HOME} file space. You also should not be auto-logged into it (for the OpenSuse users – make sure you disable that auto login feature – also if you use Gnome, you turn off the screen lock in the screen saver preferences).
3. A banking user: This one is also a normal user that has to type the sudo password to install out of the $HOME file space. Won’t your normal user account be enough? What if they have installed the trojan in ${HOME} which as a security analyst is what I would do? I can probably get all of it done without you knowing I did anything at all. After all, Apple kindly provided me with a dandy way to hide it:
http://openp2p.com/pub/a/mac/2002/10/22/macforunix.html
Go to page 2, point number 5. Now all I need to do is have my install script execute the following script in the ~/Applications folder:
SetFile -a V MyBeautifulTrojan
# similar for all of the files I put on your system.
Hmm, maybe SetFile should be a privileged command?
Oh, I forgot – the Mac user is using an administrator account for everything.
If they did something just as stupid and bone-headed as Ubuntu did in putting ~/bin before all of the system bins and Apple put ~/Applications ahead of the system ones I would assuredly also do the same with these, also in the ~/Applications folder:
SetFile -a V ps
SetFile -a V ls
SetFile -a V # what ever else I need.
Now you BETTER know where your real system ls command is if you have ~/Applications first in the $PATH (we will ignore for the moment that maybe I could slam it into your startup files to make sure it is first if Apple didn’t do it for me). You will not only not be able to see any of these files using the Finder, you won’t see them with ls in a terminal either becuase you will be using MY ls. And I did every bit of it without alarming you by asking for the sudo password. Oh, I forgot again, you are using your administrator account for normal use. In fact you are using your administrator account for everything.
For those taking the dedicated Windows machine used only for banking route I would advise people to take my PAC filter and alter it by stripping out all the rules and basically black-list out the entire world and then white-list your way out of that into allowing Microsoft, your AV and other security packages and your banks back in. I would take the time to do it myself but I am swamped. But if you had that, your temptation would be met with a not-so-kind white page and a block in the browser. You would be reminded “this computer is to be used for finance only transactions – everything else is forbidden.” If you don’t do that you are right back where you are at now. I did mention that one user couldn’t turn the PAC filter I created off didn’t I? I finally had to put how to turn it off into my blog. The only thing I can say is if it really did get in his way of getting to stuff and he doesn’t know how to turn the PAC filter back off then he probably needed it and in addition also needed to learn a lot about the Microsoft Windows system he was using. But I can assure you my PAC filter doesn’t black out the entire world as he put it. It just blocks out the portion I have saw time and again leads to problems. Unfortunately the PAC filter also causes FPs. Either white-list your way out of the FPs or remove the rule that gets in your way. A system with a nobbled filter is better than no filter at all. Don’t install Adobe Reader on this dedicated banking system. If you must read PDF files, use Foxit or something else. Don’t put Flash player on this system. Do not install Shockwave player on this system. Use it only for banking / finance and nothing more. If you don’t have the self discipline to do that then go the LiveCD route.
Like or Dislike:
2 
0
@Henry Hertz Hobbit
Great info, much of it can be applied to any OS. Using the almighty administrator account for everyday use is just inviting disaster as it gives the keys to the castle so to speak for ANY software, good or bad, to run on the system. Using administrator basically defeats one of the most important layers of security built into modern operating systems. It should ONLY be used for system administration. Of course, the entire issue of using administrator stems from the old usability versus security paradigm and exasperated by software developers that designed software assuming the use of the administrator account. That issue HAS been changing over the years, although Microsoft still makes it all too easy to setup and use an administrator account. As much as they want security, they also understand users just want things to work (usability).
The PAC list sounds similar to a blocking hosts file that can be a very effective layer of security on Windows systems. I’ve been using MVPS’s blocking hosts file (see link below) for years and feel very strongly it has prevented malware from even getting to my system when browsing the far reaches of the Internet.
http://www.mvps.org/winhelp2002/hosts.htm
All in all though, for me it always comes back to the 10 Immutable Laws of Security, in particular #10.
http://itknowledgeexchange.techtarget.com/security-corner/10-immutable-laws-of-security
Law #10: Technology is not a panacea
No matter how sophisticated the hardware and software become, they’ll never replace common sense and sound security policies and practices.
It is what has kept me malware free for the 14+ years I’ve been using computers!
Like or Dislike:
0 
0
So, as a small business owner, I have taken Mr. Krebs advice very seriously, and I now do all of my business’ online banking using a Linux LiveCD, on a second computer that resides right next to my main Windows machine on my desk.
This works fine, generally, and although it is clunky and less convenient, it is still more convenient than mailing bills at the post office or getting in the car every day and driving to the bank to check up on my account balance.
HOWEVER, even with all these steps, I have caught myself inadvertently trying to use my Windows machine to log into my bank account several times, simply because I was “not thinking” about what I was doing. Sort of like putting the milk back in the cupboard instead of the fridge.
In my REAL-WORLD experience as a small business owner, even the dual machine / LiveCD solution is easily defeated by 10 seconds of doing “something stupid” accidentally. It’s like keeping a loaded handgun on your desk with the hammer cocked.
Call me stupid if you want – but I still think it is way too easy to screw yourself during a moment of not thinking straight.
Like or Dislike:
0 
0
I must confess I have not tried the LiveCD process yet but I do intend to give it a go. I am curious about the mechanics of interaction between your accounting software and the machine you run the LiveCD. Do you run the accounting software locally on the same LiveCD machine and then save the files to a usb stick or have it on a separate machine and just memorize account numbers and transaction details over into the writeable machine.
Our online business banking platform synchronizes with a range of accounting programs we currently run on the same machine we connect with. I suppose I could use usb sticks to transfer the synchronized files back and forth with the accounting machine but I imagine that would defeat the security of doing LiveCD in the first place.
Like or Dislike:
0 
0
Matt –
I do all the account reconciliation by hand. My business is such that there are maybe 50 transactions per month. You bring up an excellent point, though. For businesses with higher transaction volume, hand reconciliation would not be practical.
Like or Dislike:
0 
0
Upon further reflection – I guess that’s really why I ultimately decided to set up two PC’s running at the same time with two separate monitors.
I did originally try rebooting into a LiveCD every time I wanted to do an online bank transaction, but synchronizing these online transactions with Quickbooks in a Windows environment became too painful.
So, in my setup, the Windows PC/monitor runs Quickbooks and the Linux PC/monitor displays the bank website.
Like or Dislike:
0 
0
Sean, you’re not stupid, just a creature of habit. Try a simple step like taking the bank’s address out of your URL favorites/bookmarks in your “main machine. ” If you have to type in the address to access your bank, you’ll realize that you’re on the wrong computer!
Like or Dislike:
1 
0
JBV, thanks for the advice, but I don’t even use bookmarks! I always type the website address directly.
Maybe I need to add my bank’s website to the list of “Restricted Sites” on my Windows machine.
Like or Dislike:
0 
0
Sean:
If you have a neighborhood geek have them install my PAC filter on their system (their choice of OS since it works on all operating systems and in all browser) first and then your Windows system (they will need Homer on Windows):
http://www.SecureMecca.com/pac.html
http://www.HostsFile.org/pac.html
Tell them to ruthlessly strip out any rules that get in your way. Even a nobbled filter is better than no filter at all. But have them add either these rules to your PAC filter
BadDomains[i++] = “MyBank.com”;
BadDomains[i++] = “MyCreditUnion.com”;
// any other finance sites you have
or these:
BadHostParts[i++] = “MyBank.com”;
BadHostParts[i++] = “MyCreditUnion.com”;
// any other finance sites you have.
That way every time you try to go to your finance institutions on Windows you get a not so kind reminder (a blank page which is really just one CRLF) that you are to shift over and use the other system. Tell the geek to set the PAC filter to set it up for themselves first on their own systems. I must add that I do have fourth dimension rules like these in the PAC filter:
GoodDomains[i++] = “.wellsfargo.com”;
BadHostParts[i++] = “wellsfargo.com”;
Unfortunately I have to put the “.” at the start of the first rule to prevent you going to some place like hocus-pocus-wellsfargo.com so you have to enter at least a leading “www.” before “wellsfargo.com”. Even if you have something like wellsfargo-com.esoteric.co.uk or similar the second rule will block it without knowing about it a-priori. The reason why is that the “.” without a leading back slash means match any one character. The reason it works is the GoodDomains rule is checked first and the BadHostParts rule is checked second. Yes, that means I am blocking all of these phish names without even knowing what they are! But you need that geek to help set it up. I am not a geek. I have built network management systems for a State and a University and have three degrees and used to have a lot of interests. Now all I want to do is retire to a French Polynesian island and never return. I think I have just enough brain cells left to learn French (badly), and that is about all.
Like or Dislike:
1 
0
Kaspersky has stated that a total of 2,247,659 backdoors, hacktools, exploits, rootkits, viruses, worms and trojans have been targeted for Windows vs. 1,898 for Linux and 48 for OS X [Inside Cyber Warfare - Jeffrey Carr - Page 193 - Figure 13-1].
The only conclusion we can come to is both Linux and OS X are vastly more secure than Windows.
Like or Dislike:
0 
0
I hope the guy who got all this money stolen was fired and sued.
Like or Dislike:
0 
1
Dark Energy:
If Ubuntu which is the most popular Linux distribution keeps putting ${HOME}/bin first in the ${PATH} and these hackers who are 99% Windows experts and many are only Linux newbies ever find out how to exploit it, it won’t stay that way much longer. If 85%+ Macintosh users keep using their administrator account and similarly these hackers who frequently don’t own a Macintosh finally take the time to exploit it, a huge new populace is there ready for the fleecing. Again, most of the hackers don’t know how to work with Macs. It is the hackers ignorance of these other operating systems and their great success with Windows that creates an atmosphere where there is no incentive for them to target these other systems even if they are safer. That is the only reason for such lopsided numbers that seems reasonable. Or maybe it is because they work from Linux and don’t want what they work from attacked (honor among thieves). They may themselves become victims.
King Reggin: You didn’t read carefully enough. HE (the person that did it) OWNS the company! I suppose he could fire himself. I just hope he and his wife aren’t running their Macs from administrator accounts! They probably are, citing Dark Energy’s numbers as the reaons for their complacency.
Maybe me and Charlie are going about it the wrong way. Maybe we should make some money off these pompous Linux and Mac owners.
Like or Dislike:
1 
0
“It is the hackers ignorance of these other operating systems and their great success with Windows that creates an atmosphere where there is no incentive for them to target these other systems even if they are safer. That is the only reason for such lopsided numbers that seems reasonable.”
If the attackers are so ignorant, how is it that malware is still winning despite years of patch responses by Microsoft professionals?
The key to understanding malware is in the way it is distributed. Anybody who is browsing or has an email address may receive malware. Since Microsoft Windows supports 91 percent of browsing, about 91 percent of malware encounters Windows and is set up to handle Windows. Macs receive the same malware package, but the package is not set up to handle Macs. An attacker would have to be an idiot to prepare for a Mac in this environment (except for development or market tests), unless Mac users somehow yielded 18 times as much profit as Windows users.
Malware success is almost completely unrelated to OS quality. Almost 100 percent of malware will be designed for the most popular OS, no matter how buggy or strong any of the OS’s may be.
Like or Dislike:
2 
0
According to the Kaspersky numbers, for every piece of malware that affects OS X there are 46,826 that affect Windows.
If the ratio of OS X installations to Windows installations is also 1 : 46,826 then this is not suspicious.
I could not find data on the total number of installations in the world by operating system.
The number of defects in an operating system is related to the amount of malware targeting it. For every defect in Red Hat Linux there are more than 10 in Windows [Jeffrey Carr - Page 192]. I don’t know how Mr. Carr knows that since the Windows source is closed – but when discussing security by operating system let’s stop overlooking the most important thing – the defect rate in the kernel and core components.
Like or Dislike:
0 
0
“The number of defects in an operating system is related to the amount of malware targeting it.”
I do not think so.
The number of attacks should *not* be expected to be proportional to the number of systems *or* the number of defects. Attacks are directed at the *single* most popular system, so the malware can be prepared to succeed most often.
Malware distribution generally finds user systems at random, and then must exploit whatever system it finds. 91 percent of the time that is Microsoft Windows. An attacker would have to be nuts to prepare for any other OS, no matter how buggy it is.
Currently, it would not be easy to get only those with (say) Mac systems to click on a malware link, or open a malware .PDF file. Even if possible, why bother? Rejecting Windows means rejecting 91 percent of attack opportunities. Preparing for a secondary OS is a waste of time compared to improving distribution.
Malware attacks are designed for *the single* most expected environment. Even though Windows will be found only 91 percent of the time, attackers will prepare for Windows almost 100 percent of the time, because that will give them vastly better chances of success than any alternative.
Like or Dislike:
1 
0
And has been shown with several counter examples, it is JUST NOT TRUE that malware targets the most popular system.
Apache outnumbers IIS 2 to 1. Yet most web-server malware targets IIS.
And I’ve just seen figures on mobile-phone malware. Windows Mobile is very much an also-ran in the phone OS stakes. Yet again, most phone malware only targets Windows. If your assertion is correct, why does mobile-phone malware target the system with less than 20% of the market?
Cheers,
Wol
Like or Dislike:
0 
1
“And has been shown with several counter examples, it is JUST NOT TRUE that malware targets the most popular system.”
Counterexamples must be apples-to-apples. In the current context of banking user OS’s, and malware targeting those users, it is in fact true that malware targets the most popular OS almost exclusively.
The only real surprise is the “almost exclusively” part. Malware cannot handle whatever machine it lands on. Instead, the malware package must be developed for a particular OS (or environment). Preparing for the most-popular OS is an attacker no-brainer, and that is what we see.
We do not see malware for Macs or Linux. Examples do of course exist, but it is just not a major direction for attackers, because it is far less profitable. That is not because Mac users have less money, it is because the probability of encountering a Mac user is only 5 in 100, as opposed to 91 in 100 for Windows. To make Macs worthwhile for attack, Mac users would have to provide 18 times as much profit as each Windows user. So what we see makes sense.
On the other hand, if you have a better model for malware reality, trot it out!
Like or Dislike:
2 
0
The amount of defects in software is related to the number of exploitable bugs – which in turn affects the size of the attack surface. The larger the attack surface, the easier and less expensive it is to develop malware that targets it – and consequently more malware is built for it.
Let’s assume this relationship does not exist. Then software with millions of bugs is just as secure as software with no bugs. The number of buffer overflows doesn’t matter. However, we know this to be an absurdity.
Malware does not always target the single most popular operating system – if that were the case then all malware would target Windows – even if Windows only had 51% of the market share.
No one suggested the relationship between the number of defects and the malware that targets an operating system is proportional – I said it was “related.” Proportional implies a linear relationship between two variables. I don’t believe the relationship is linear – it may very well be exponential.
Like or Dislike:
0 
0
“The larger the attack surface, the easier and less expensive it is to develop malware that targets it – and consequently more malware is built for it.”
“easier and less expensive” — True.
“consequently more malware is built” — False.
Once past a certain size, every large complex software system has exploitable faults, even after hundreds of patches. For attackers, finding faults is increasingly difficult, yet it is done. Improving security in Microsoft Windows has not reduced the amount of malware, in fact malware is getting worse. These are the facts, the only question is why these facts are the way they are.
I claim the amount of malware is best understood as having almost *nothing* to do with OS quality or programming difficulty. Malware makes sense when seen as:
a) a random distribution,
b) programmed for a particular OS,
c) to make the most profit.
Malware has everything to do with profit, which necessarily means addressing the single most-popular OS, no matter how buggy or easy-to-defeat other OS’s may be.
“Let’s assume this relationship does not exist. Then software with millions of bugs is just as secure as software with no bugs. The number of buffer overflows doesn’t matter. However, we know this to be an absurdity.”
Since there are no large, complex software systems without bugs, the argument itself is “absurd.”
The overall security of a large system does not change much, in general, when a particular bug is fixed. System security is the minimum across all attack possibilities. Patching a known vulnerability just eliminates one approach. Attackers using that approach obviously need another, which they always find. As Microsoft continues to patch bugs, we have direct evidence that reducing the number of bugs, thus making attacks more difficult, does not reduce the amount of malware.
In practice, when a buffer overflow is found, there is a rush to fix it. The question is whether fixing that bug, or another, or even year-after-year of bug patches, actually reduces malware. Surely patching bugs makes malware more difficult to write, so by the argument there should be less, right? Yet after years of Microsoft patching we see malware still targeted at that platform, and in fact increasing for that platform. The facts contradict the claim.
“Malware does not always target the single most popular operating system – if that were the case then all malware would target Windows – even if Windows only had 51% of the market share.”
In the context of this blog, the banking user OS arena, virtually all malware *does* target Windows. Indeed, it is that strange fact which is most confusing to those who claim technical superiority for one or another OS competitor. Recognizing the limits on malware distribution and working out the simple profit probabilities clarifies why attackers continue to prepare for an increasingly-difficult OS rather than some other.
Yes, I do predict that Windows would have to slide almost as low as the next competitor before we start seeing malware seriously turn in a new direction. Attackers will choose the option that gives them the best profit, which almost always means the single most popular OS.
Like or Dislike:
1 
1
Well then, this explains why there are so many hamburger joints in the US, and no Thai restaurants, or Ethiopian eateries, or…..
Because in a free market EVERYBODY goes where the most money is.
Sorry, I don’t buy it. The reason for the virtual non-existance of OSX malware may not be the inherent security of the OS, but it certainly isn’t lack of market share. There are millions of Macs in the wild, nearly all of them unprotected by AV, and most of them used by the great unwashed from a security perspective.
This “market” seems ripe for the picking. I’ve yet to hear an explanation for the lack of harvesters that seems reasonable to me.
Like or Dislike:
0 
0
@Steve Parker:
“There are millions of Macs in the wild, nearly all of them unprotected by AV, and most of them used by the great unwashed from a security perspective.
This “market” seems ripe for the picking. I’ve yet to hear an explanation for the lack of harvesters that seems reasonable to me.”
Then listen up because you are about to get that explanation:
The reason Macs are not exploited as a vulnerable group is that malware is generally distributed in ways which do not beforehand know what type of computer OS will be encountered. For example, an email .PDF malware does not know what machine may be used to read it. Similarly, a web-site malware link delivers the same file to any computer running any OS.
A malware is just a computer program and must be programmed for a particular environment (typically, a particular OS). If a malware program is designed for Microsoft Windows, it will not run on a Mac.
So if an attacker puts out Windows malware, that has a 91 percent chance of finding itself on a Windows system and achieving success. 9 percent of the time the Windows malware fails simply because it finds a Mac, or Linux or something else, and cannot run.
If an attacker puts out Mac malware, that has a 5 percent chance of finding itself on a Mac system and achieving success. 95 percent of the time that malware fails because it does not find a compatible host.
* Which of the malware options, Windows or Mac, is likely to be the most profitable? (That would be Windows by 91 to 5, an 18x advantage.)
* Is there some ratio of Mac malware to Windows malware that would improve profits? (No. The profit optimum is to have *all* Windows malware and *no* Mac malware at all.)
DOES THE LACK OF MALWARE FOR MACS SEEM REASONABLE NOW?
Like or Dislike:
1 
1
@Terry Ritter
Uh, no. That makes no sense. What you are suggesting is that no malware writer would bother trying to exploit what is essentially a niche market. That doesn’t jive with reality in every other area of life, where niche markets are almost always served by someone. And that assumes 10% is a niche.
Window’s prevalence may explain why it is a favorite target, but it absolutely does not explain the almost total lack of OSX malware, especially when there are numerous techniques for targeting attacks at specific platforms.
Is OSX harder to exploit? Are malware authors really so myopic (or lazy) that they can’t see the opportunity? Or is something else going on?
I don’t have the answer, and I’m pretty sure you don’t either.
Like or Dislike:
1 
1
And that’s why it’s important to discuss these variables (popularity, exploitability, etc.) that influence the problem.
If we could build a model that takes all of this into account then we might be able to predict the volume of malware – and ultimately allocate the optimal amount of resources to counter it.
Niels Provos has done a substantial amount of research on the number of honeypots it takes to disable worms based on the number of susceptible hosts. I’d like to see something like that for every category of malware.
Like or Dislike:
0 
0
“Uh, no. That makes no sense. What you are suggesting is that no malware writer would bother trying to exploit what is essentially a niche market.”
Uh, no. What I am stating is that the malware author does not have the *opportunity* to distribute to a market consisting of a particular OS. In general, malware is distributed to a computer before the OS on that computer is known.
Perhaps the problem would be clearer if you would describe in detail exactly how you think a malware author *could* distribute their Mac malware only to Mac computers.
There have been some attempts in this area, even in the last week. Sometimes it is possible to get malware into a Mac software distribution center or on a Mac site, but that is pretty hard and generally does not last too long. The vast, vast majority of malware is distributed at random, which means a single malware program is sent to every possible email address or browser click. Most of that effort is lost unless the malware program is ready to run on Microsoft Windows.
“I don’t have the answer, and I’m pretty sure you don’t either.”
Really? You may wish to reconsider that.
Like or Dislike:
0 
0
Browser user agent strings.
Web based attacks have been adaptively attacking selected targets for years.
For email, maybe spam all .mac addresses.
Like or Dislike:
0 
0
“Browser user agent strings.”
All that can do is *not* send malware to a computer with the wrong OS. So the malware does not run, which is exactly what would happen if it were sent. The only result is saved bandwidth, which the malware is probably stealing anyway. It does not increase the number of infections, which is the money issue.
The outcome is set when a user somehow goes to the malicious site on a particular OS. That is before the actual browser contact. After that, there is little or no advantage to *not* sending malware to anyone who connects.
“Web based attacks have been adaptively attacking selected targets for years.”
Which is, of course, how we know they are relatively ineffective both as a profit base and as a worry for ordinary users. They are fine for intelligence operations, or a special target. They are not the way for malware authors to make money, and they are not the way normal users lose money.
“For email, maybe spam all .mac addresses.”
I am dubious. Probably any OS-specific email service will specifically check for broad-based spam. Since Mac malware does in fact exist, we can infer that some reason exists which prevents such distribution, or makes it ineffective. That would not be the Mac computer itself, because we know Macs can indeed be infected.
Mac infection is normally rare because malware authors generally have a more popular, and thus more profitable, target. However, infecting a few Macs from time to time may be good propaganda for malware authors to keep users on the popular OS. And we may see some periodic development and market testing for the Mac platform.
Like or Dislike:
1 
0
The User-Agent HTTP header can be used to target compatible systems as well as avoid incompatible systems.
Consider my browser’s User-Agent header:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)
It’s fairly obvious what operating system and browser I’m using. In this case an attacker might send a Java applet that exploits a hole in Firefox for Windows.
The site could just as easily not send the applet to a Safari browser on a Mac.
Like or Dislike:
0 
0
@Dark Energy:
“The User-Agent HTTP header can be used to target compatible systems as well as avoid incompatible systems.”
You are missing the point. Identifying the OS a user has does not bring any more users to the malware site. It just handles some of the unattacked remainder, beyond the 91 percent already correctly targeted.
Adding a second malware can at best increase the attacked subset from 91 percent to about 96 percent. But the added OS will require about the same amount of work and continued development as the first. So attackers have twice the work for a 5 percent increase in profit.
Attackers can get an equivalent increase much easier simply by distributing more malware. And that requires no added technical foo-faw on invaded pages.
“In this case an attacker might send a Java applet that exploits a hole in Firefox for Windows.”
For best security, people should not be using Java, if at all possible.
Although browser intrusions may not require OS-specific code, they probably will need OS-specific code to infect the hard drive. Then we are back to the dominant OS argument again.
One alternative might be for an intrusion running in the browser to call home and download and save an OS-appropriate infection. But even if that could be made to work, it could only improve profit by about 5 percent.
Like or Dislike:
0 
0
Selecting a target based on operating system or the type of server software is a common practice for worms.
It can be very easy to analyze the operating system’s TCP stack to determine both the vendor and version. Some server software will actually report its version to you such as OpenSSL and Bind.
Like or Dislike:
0 
0
Brian:
It is time to bring this to an end. No matter what the reasons, it appears that Macs and Linux and Unix have far less malware than Windows. As one person said a long time ago, they don’t care why. They just know that if they can shift to using either a Mac or Linux that is something that will reduce their exposure, at least for now. If you ask me, it will be forever. M$ market share and percentage have not changed and never will. It is rock hard solid and stable and will stay that way forever. What puzzles me is this inordinate fear M$ has of Linux when Mac has a much more significant market share. It has been that way for over seven years now since they first stood up and took notice of it.
But the vast majority of Mom & Pops I go to have software that only runs on Windows. I don’t care how much more secure these other operating systems are. When the software you need to run your small business exists only on Windows you have no choice but to use it. Sitting there discussing this or that factor when that is the case for a small business owner with no budget for creating the vertical apps they need when they already exist but only run on Windows is dumb. All these people want is something that makes their banking secure and they want it NOW!
Brian gave some acceptable ways to reduce that risk. I support those methods he proposed. The only caveat I have are the following two things (this is just a start – for somebody who has used Unix since the 70s I am appalled by the first one):
First, I want the Ubuntu team and any other Linux, Unix, or Mac type people to put $HOME/bin or other $HOME excutable folders LAST in the $PATH! This is not negotiable! I want them to change it and I want them to change it now! If you are running from a LiveCD, you can not change this so it is imperative that they get this correct! I am baffled how this which was taught in Unix safety 101 back in the early 80s is being done wrong now.
Mac owners somehow need to be trained to not use their admin account, and if possbile they will need to create a secondary admin account and then a normal account and use the normal account for everything. The secondary admin account should not even be used
for admin purposes – it should sit there to clean up a disastrous User infection in you normal account.
I am trying to stave off the problems that exists on Windows ( “.” is ALWAYS in the $PATH ) on Linux and Macs before the problem moves there. What are the rest of you doing? You are not helping these people who just want to do more secure banking NOW!
In case you are wondering, I have two Linux distros as well as DesktopBSD on my systems. I also have Windows. I make filters for the Internet and almost never am using Windows to do it. Any further comments to this thread from fanatic Linux and Windows devotees that don’t want to address these small business users will be sent to /dev/null (NUL for Windows people).
Like or Dislike:
2 
1
“But the vast majority of Mom & Pops I go to have software that only runs on Windows.” — Fine.
“I don’t care how much more secure these other operating systems are. When the software you need to run your small business exists only on Windows you have no choice but to use it.” — Fine, but not necessarily *on line*.
“Sitting there discussing this or that factor when that is the case for a small business owner with no budget for creating the vertical apps they need when they already exist but only run on Windows is dumb.” — A bridge too far.
Not all users need particular apps and also need them during online banking. Many others can adjust the way they work to allow banking outside Windows, while still running the business.
For most users, the appropriate suggestion is to use a secure platform for banking and do nothing else at the same time. Then, when banking is over, use the insecure platform as needed.
By “the secure platform” I mean booting from a free LiveCD or DVD on the same computer hardware. Or perhaps on a separate computer, even an old one no longer practical for Windows.
“All these people want is something that makes their banking secure and they want it NOW!”
Generally, people who run businesses, even small businesses, tend to live in the real world.
I believe that Microsoft Windows cannot be hardened enough for online banking by any means whatsoever. So if “they want it NOW” means just adding stuff to the old system because it is quick, that is not going to solve the problem. Waiting for the bank, the banking industry, or government to “solve” the problem will be anything but quick.
Many people feel security is not worth the trouble, or have decided (probably too quickly), that they are willing to take the risk. That is fine. They can do that. But those who have decided they want real security are in a different group. They should not be using Windows online, and certainly not for online banking. People who want security for online banking should be booting free Linux from a LiveCD or DVD.
Like or Dislike:
0 
1
While I understand your reasoning and advocating using a Live CD, I completely disagree that Windows cannot be hardened to be used for online banking. Why? Because I can personally vouch for the fact I HAVE and continue to harden my Windows systems to the point I have NEVER been compromised in ANY way. And, to say, on systems I also use to browse the Internet. I may be the exception so to speak. But, it IS possible, contrary to what you say!
Even so, I generally wouldn’t recommend so because the majority of people do not have the insight or discipline that I may have in order to so. So, admittedly, a Live CD is probably most effective for them.
Like or Dislike:
2 
2
“When the software you need to run your small business exists only on Windows you have no choice but to use it. Sitting there discussing this or that factor when that is the case for a small business owner with no budget for creating the vertical apps they need when they already exist but only run on Windows is dumb. All these people want is something that makes their banking secure and they want it NOW!”
Fact is, there’s a lot more small biz s/ware available for the Mac than most people realize. If anyone were seriously interested in this, they can contact members of ACN, Apple Consultant Network. http://consultants.apple.com/
And, though it is correct to say that Macs are more expensive, the entry level desktop is $699. And, one can run Windows on it, in addition to Mac OS X, either on a separate partition (boot camp), or in a VM, using either VMWare’s Fusion or Parallels VM.
I am *not* advocating this solution for those who truly cannot afford it, just saying that, for those who find Linux confusing, and/or those who have people on staff who know the Mac OS, it is not as costly or difficult as some believe. Maybe it used to be that there wasn’t enough s/ware – now that is really pretty rare. Further, in some cases, such as MacPractice for MDs and DDSs, the Mac s/ware is significantly less expensive than the Windows counterpart.
Again, Linux, or running a Windows PC only used for banking, may very well be best for many. But this other solution does exist, and it may fit for some.
Like or Dislike:
1 
0
Interesting discussion. To me, the low hanging fruit analogy is apt here.
On the big ol’ software fruit tree, we have all operating systems with a high amount of Windows systems taking up the bottom primarily due to its ubiquitous nature and default configuration out of the box for usability (which is counter to security). Now, if you’re a malware author hungry for profits, are you going to go after the high hanging, more difficult fruit? No, you’re going to go after the ripe ones sitting toward the bottom because it doesn’t take as much effort. As long as there is low hanging fruit, the higher hanging fruit will be left alone. Now, consider that out of the box, by default each OS will sit at a different level on the tree. Then, depending on defensive counter measures, a system will move higher, in effect making it more difficult to pick. In effect, regardless of what OS you choose to use, it’s about risk management and taking appropriate steps to ensure you are NOT low hanging fruit ripe for the picking.
Like or Dislike:
3 
0
Apple secretly updates malware protection
http://www.sophos.com/blogs/gc/g/2010/06/18/apple-secretly-updates-mac-malware-protection/
The new protection is against a Trojan that depends on social engineering (like a lot of malware). So why update it silently? The first line of defense is always user awareness and education because users are the weakest link.
Like or Dislike:
2 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
0 
6
I probably shouldn’t even respond as you know what they say about feeding you know what………… oh, never mind!
Wow! I’ve got to hand it to you. You’ve really nailed it! You owned it! (Although a little pitchy at times). I see the light now. This Microsoft apologist, paid troll, seriously misinformed, and/or armchair expert, Redmond fan boy, and sad little apologist (oh, said that already) is going to take his little broken red wagon to the scrap heap and go out and get a brand new shiny Apple or Penguiny thingy! You know because there are so many “high quality, open source, business grade software, to do what we need, without being exploited” out there now. Oh, oh, not to mention games! Uh huh! ;P
(See how ridiculous you sound???) And to think you had me at “I seriously cannot believe”.
Like or Dislike:
2 
1
@John Harris: “Unix, Linux, BSD, Apple OS-X, etc, are operating systems that are designed from the ground up, to be secure.”
No one has figured it out how to design secure software in the sense you suggest. All software vendors are issuing a constant stream of critical security fixes for operating systems and applications.
Like or Dislike:
1 
0
This is a really tricky thing getting on pc’s that are yourss. Even if you think you have no virus you could easily ahve one. I got this little device http://www.tapdrive.com that i really love. Its a usb drive wit hits own read only OS in it. This little baby is 100% virus proof. You can do on-line banking with ease of mind. for like $50 its so worth it
Like or Dislike:
0 
0
Using Mac for a Day Cost Windows User $100,000
Like or Dislike:
2 
1
The best way to prevent this in North America is to use the same system European banks use. Every transfer requires the user to enter a random code from a list of codes (called iTAN) that is given to you by the bank when you open your account.
It’s just way to easy to get into someone’s bank account here, even a teenager could do it.
Like or Dislike:
0 
0