June 2, 2010

David Green normally only accessed his company’s online bank account from his trusty Mac laptop. Then one day this April while he was home sick, Green found himself needing to authorize a transfer of money out of his firm’s account. Trouble was, he’d left his Mac at work. So he decided to log in to the company’s bank account using his wife’s Windows PC.

Unfortunately for Green, that PC was the same computer his kids used to browse the Web, chat, and play games online. It was also the same computer that organized thieves had already compromised with a password-stealing Trojan horse program.

A few days later, the crooks used those same credentials to steal nearly $100,000 from the company’s online accounts, sending the money in sub- $10,000 and sub-$5,000 chunks to 14 individuals across the United States.

Now, Green’s firm — DKG Enterprises, a party supplies firm based in Oklahoma City — is wrangling with its bank over who should pay for the loss, said Joe Dunn, the company’s controller. So far, DKG has managed to recover just $22,000 of the $98,000 stolen in the April 27 incident.

Unlike consumers, businesses that lose money as a result of stolen online banking credentials usually are left holding the bag. As such, I’ve frequently advised small business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows. What’s more, the tools these crooks are using — mainly the Zeus Trojan — almost always outpace anti-virus detection at least by a few days, and by then it’s usually too late.

But the advice about banking on a dedicated, non-Windows machine only works if you follow it all the time. As this incident shows, it does no good for small business owners to use a Live CD or a Mac or some other approach only some of the time.

“He knew better than that,” Dunn said of his boss’s logging into the family Windows machine. “The thing about it is this wouldn’t have been able to happen if the security had been place that is currently in place, which means he can only access the bank’s site from his Mac. We no longer allow access from any other computer other than his.”

Dunn said that not long after the fraudulent transfers were sent out, he heard from one of the money mules that were sent the firm’s money and asked to wire it overseas to the fraudsters.

“This guy, he went to go use his debit card to fill up his car at a gas station and his card was declined,” Dunn said.  “He was trying to figure out what had happened, so he researched where the money came from, went online and called the first number he could find and of course he got me. All I could do is refer him to the FBI. I think he’d figured out by that point what had happened.”

Dunn added the company’s bank is disavowing any responsibility for the incident, but that there is a small silver lining.

“Our take is we weren’t provided the utmost security to prevent this from happening,” he said. “It’s sad in this day and age, and we’ll probably have to take it as a hard lesson learned. On the bright side, though, the owner’s wife now has a new Mac.”

Further Reading: Target: Small Businesses


204 thoughts on “Using Windows for a Day Cost Mac User $100,000

  1. Henry Hertz Hobbit

    And your advice is spot on except for stopping short of doing it a little bit better with the Mac or any other sudo oriented ‘nix system except for the LiveCD versions.

    I advise creating three users for sudo oriented (Ubuntu / Mac / et al) systems with the OS on the hard drive. Your bank only Windows machine and LiveCDs will probably be a little more secure as long as you resist the impulse to read email, etcetera and use them only for doing your financial transactions.
    Here are the users a Mac owner needs to create, and from what I have read almost none of them are coming even close to doing it:

    1. Your administrator user: Now set it aside and don’t use it for anything except for administration and NEVER head a browser in that account out to the Internet at large. Use it only for administering the system. If the browser must head to Apple or your AV system or something else that is security related, that is fine. Everything else is taboo. But if I am right and I think I am, over 95% of Mac users are using this account as their one and only account in the smug belief that just using a Mac makes them invincible. All it makes them impervious to are Microsoft Windows binaries. You are still spied on (tracked). You also aren’t immune to Mac binaries. There is less of them right now but that can change. And unlike me needing two sets of binaries for my Ubuntu and OpenSuse systems (library incompatibilities) of the same programs you are pretty much assured some homogeneity of what ever Mac Trojan is coming at you. They will probably work on any versions of the OS-X that were designed for the Intel architecture.

    2. A normal user: Use this one for your general purpose use. This one MUST require you to type the sudo password to install out of the ${HOME} file space. You also should not be auto-logged into it (for the OpenSuse users – make sure you disable that auto login feature – also if you use Gnome, you turn off the screen lock in the screen saver preferences).

    3. A banking user: This one is also a normal user that has to type the sudo password to install out of the $HOME file space. Won’t your normal user account be enough? What if they have installed the trojan in ${HOME} which as a security analyst is what I would do? I can probably get all of it done without you knowing I did anything at all. After all, Apple kindly provided me with a dandy way to hide it:

    http://openp2p.com/pub/a/mac/2002/10/22/macforunix.html

    Go to page 2, point number 5. Now all I need to do is have my install script execute the following script in the ~/Applications folder:

    SetFile -a V MyBeautifulTrojan
    # similar for all of the files I put on your system.

    Hmm, maybe SetFile should be a privileged command?
    Oh, I forgot – the Mac user is using an administrator account for everything.

    If they did something just as stupid and bone-headed as Ubuntu did in putting ~/bin before all of the system bins and Apple put ~/Applications ahead of the system ones I would assuredly also do the same with these, also in the ~/Applications folder:

    SetFile -a V ps
    SetFile -a V ls
    SetFile -a V # what ever else I need.

    Now you BETTER know where your real system ls command is if you have ~/Applications first in the $PATH (we will ignore for the moment that maybe I could slam it into your startup files to make sure it is first if Apple didn’t do it for me). You will not only not be able to see any of these files using the Finder, you won’t see them with ls in a terminal either becuase you will be using MY ls. And I did every bit of it without alarming you by asking for the sudo password. Oh, I forgot again, you are using your administrator account for normal use. In fact you are using your administrator account for everything.

    For those taking the dedicated Windows machine used only for banking route I would advise people to take my PAC filter and alter it by stripping out all the rules and basically black-list out the entire world and then white-list your way out of that into allowing Microsoft, your AV and other security packages and your banks back in. I would take the time to do it myself but I am swamped. But if you had that, your temptation would be met with a not-so-kind white page and a block in the browser. You would be reminded “this computer is to be used for finance only transactions – everything else is forbidden.” If you don’t do that you are right back where you are at now. I did mention that one user couldn’t turn the PAC filter I created off didn’t I? I finally had to put how to turn it off into my blog. The only thing I can say is if it really did get in his way of getting to stuff and he doesn’t know how to turn the PAC filter back off then he probably needed it and in addition also needed to learn a lot about the Microsoft Windows system he was using. But I can assure you my PAC filter doesn’t black out the entire world as he put it. It just blocks out the portion I have saw time and again leads to problems. Unfortunately the PAC filter also causes FPs. Either white-list your way out of the FPs or remove the rule that gets in your way. A system with a nobbled filter is better than no filter at all. Don’t install Adobe Reader on this dedicated banking system. If you must read PDF files, use Foxit or something else. Don’t put Flash player on this system. Do not install Shockwave player on this system. Use it only for banking / finance and nothing more. If you don’t have the self discipline to do that then go the LiveCD route.

  2. xAdmin

    @Henry Hertz Hobbit

    Great info, much of it can be applied to any OS. Using the almighty administrator account for everyday use is just inviting disaster as it gives the keys to the castle so to speak for ANY software, good or bad, to run on the system. Using administrator basically defeats one of the most important layers of security built into modern operating systems. It should ONLY be used for system administration. Of course, the entire issue of using administrator stems from the old usability versus security paradigm and exasperated by software developers that designed software assuming the use of the administrator account. That issue HAS been changing over the years, although Microsoft still makes it all too easy to setup and use an administrator account. As much as they want security, they also understand users just want things to work (usability).

    The PAC list sounds similar to a blocking hosts file that can be a very effective layer of security on Windows systems. I’ve been using MVPS’s blocking hosts file (see link below) for years and feel very strongly it has prevented malware from even getting to my system when browsing the far reaches of the Internet.

    http://www.mvps.org/winhelp2002/hosts.htm

    All in all though, for me it always comes back to the 10 Immutable Laws of Security, in particular #10.
    http://itknowledgeexchange.techtarget.com/security-corner/10-immutable-laws-of-security

    Law #10: Technology is not a panacea

    No matter how sophisticated the hardware and software become, they’ll never replace common sense and sound security policies and practices.

    It is what has kept me malware free for the 14+ years I’ve been using computers! 🙂

  3. Sean

    So, as a small business owner, I have taken Mr. Krebs advice very seriously, and I now do all of my business’ online banking using a Linux LiveCD, on a second computer that resides right next to my main Windows machine on my desk.

    This works fine, generally, and although it is clunky and less convenient, it is still more convenient than mailing bills at the post office or getting in the car every day and driving to the bank to check up on my account balance.

    HOWEVER, even with all these steps, I have caught myself inadvertently trying to use my Windows machine to log into my bank account several times, simply because I was “not thinking” about what I was doing. Sort of like putting the milk back in the cupboard instead of the fridge.

    In my REAL-WORLD experience as a small business owner, even the dual machine / LiveCD solution is easily defeated by 10 seconds of doing “something stupid” accidentally. It’s like keeping a loaded handgun on your desk with the hammer cocked.

    Call me stupid if you want – but I still think it is way too easy to screw yourself during a moment of not thinking straight.

    1. Matt

      I must confess I have not tried the LiveCD process yet but I do intend to give it a go. I am curious about the mechanics of interaction between your accounting software and the machine you run the LiveCD. Do you run the accounting software locally on the same LiveCD machine and then save the files to a usb stick or have it on a separate machine and just memorize account numbers and transaction details over into the writeable machine.

      Our online business banking platform synchronizes with a range of accounting programs we currently run on the same machine we connect with. I suppose I could use usb sticks to transfer the synchronized files back and forth with the accounting machine but I imagine that would defeat the security of doing LiveCD in the first place.

      1. Sean

        Matt –

        I do all the account reconciliation by hand. My business is such that there are maybe 50 transactions per month. You bring up an excellent point, though. For businesses with higher transaction volume, hand reconciliation would not be practical.

        1. Sean

          Upon further reflection – I guess that’s really why I ultimately decided to set up two PC’s running at the same time with two separate monitors.

          I did originally try rebooting into a LiveCD every time I wanted to do an online bank transaction, but synchronizing these online transactions with Quickbooks in a Windows environment became too painful.

          So, in my setup, the Windows PC/monitor runs Quickbooks and the Linux PC/monitor displays the bank website.

    2. JBV

      Sean, you’re not stupid, just a creature of habit. Try a simple step like taking the bank’s address out of your URL favorites/bookmarks in your “main machine. ” If you have to type in the address to access your bank, you’ll realize that you’re on the wrong computer!

      1. Sean

        JBV, thanks for the advice, but I don’t even use bookmarks! I always type the website address directly.

        Maybe I need to add my bank’s website to the list of “Restricted Sites” on my Windows machine.

  4. Henry Hertz Hobbit

    Sean:

    If you have a neighborhood geek have them install my PAC filter on their system (their choice of OS since it works on all operating systems and in all browser) first and then your Windows system (they will need Homer on Windows):

    http://www.SecureMecca.com/pac.html
    http://www.HostsFile.org/pac.html

    Tell them to ruthlessly strip out any rules that get in your way. Even a nobbled filter is better than no filter at all. But have them add either these rules to your PAC filter

    BadDomains[i++] = “MyBank.com”;
    BadDomains[i++] = “MyCreditUnion.com”;
    // any other finance sites you have

    or these:

    BadHostParts[i++] = “MyBank.com”;
    BadHostParts[i++] = “MyCreditUnion.com”;
    // any other finance sites you have.

    That way every time you try to go to your finance institutions on Windows you get a not so kind reminder (a blank page which is really just one CRLF) that you are to shift over and use the other system. Tell the geek to set the PAC filter to set it up for themselves first on their own systems. I must add that I do have fourth dimension rules like these in the PAC filter:

    GoodDomains[i++] = “.wellsfargo.com”;

    BadHostParts[i++] = “wellsfargo.com”;

    Unfortunately I have to put the “.” at the start of the first rule to prevent you going to some place like hocus-pocus-wellsfargo.com so you have to enter at least a leading “www.” before “wellsfargo.com”. Even if you have something like wellsfargo-com.esoteric.co.uk or similar the second rule will block it without knowing about it a-priori. The reason why is that the “.” without a leading back slash means match any one character. The reason it works is the GoodDomains rule is checked first and the BadHostParts rule is checked second. Yes, that means I am blocking all of these phish names without even knowing what they are! But you need that geek to help set it up. I am not a geek. I have built network management systems for a State and a University and have three degrees and used to have a lot of interests. Now all I want to do is retire to a French Polynesian island and never return. I think I have just enough brain cells left to learn French (badly), and that is about all.

  5. Dark Energy

    Kaspersky has stated that a total of 2,247,659 backdoors, hacktools, exploits, rootkits, viruses, worms and trojans have been targeted for Windows vs. 1,898 for Linux and 48 for OS X [Inside Cyber Warfare – Jeffrey Carr – Page 193 – Figure 13-1].

    The only conclusion we can come to is both Linux and OS X are vastly more secure than Windows.

  6. King Reggin

    I hope the guy who got all this money stolen was fired and sued.

  7. Henry Hertz Hobbit

    Dark Energy:

    If Ubuntu which is the most popular Linux distribution keeps putting ${HOME}/bin first in the ${PATH} and these hackers who are 99% Windows experts and many are only Linux newbies ever find out how to exploit it, it won’t stay that way much longer. If 85%+ Macintosh users keep using their administrator account and similarly these hackers who frequently don’t own a Macintosh finally take the time to exploit it, a huge new populace is there ready for the fleecing. Again, most of the hackers don’t know how to work with Macs. It is the hackers ignorance of these other operating systems and their great success with Windows that creates an atmosphere where there is no incentive for them to target these other systems even if they are safer. That is the only reason for such lopsided numbers that seems reasonable. Or maybe it is because they work from Linux and don’t want what they work from attacked (honor among thieves). They may themselves become victims.

    King Reggin: You didn’t read carefully enough. HE (the person that did it) OWNS the company! I suppose he could fire himself. I just hope he and his wife aren’t running their Macs from administrator accounts! They probably are, citing Dark Energy’s numbers as the reaons for their complacency.

    Maybe me and Charlie are going about it the wrong way. Maybe we should make some money off these pompous Linux and Mac owners.

    1. Terry Ritter

      “It is the hackers ignorance of these other operating systems and their great success with Windows that creates an atmosphere where there is no incentive for them to target these other systems even if they are safer. That is the only reason for such lopsided numbers that seems reasonable.”

      If the attackers are so ignorant, how is it that malware is still winning despite years of patch responses by Microsoft professionals?

      The key to understanding malware is in the way it is distributed. Anybody who is browsing or has an email address may receive malware. Since Microsoft Windows supports 91 percent of browsing, about 91 percent of malware encounters Windows and is set up to handle Windows. Macs receive the same malware package, but the package is not set up to handle Macs. An attacker would have to be an idiot to prepare for a Mac in this environment (except for development or market tests), unless Mac users somehow yielded 18 times as much profit as Windows users.

      Malware success is almost completely unrelated to OS quality. Almost 100 percent of malware will be designed for the most popular OS, no matter how buggy or strong any of the OS’s may be.

  8. Dark Energy

    According to the Kaspersky numbers, for every piece of malware that affects OS X there are 46,826 that affect Windows.

    If the ratio of OS X installations to Windows installations is also 1 : 46,826 then this is not suspicious.

    I could not find data on the total number of installations in the world by operating system.

    The number of defects in an operating system is related to the amount of malware targeting it. For every defect in Red Hat Linux there are more than 10 in Windows [Jeffrey Carr – Page 192]. I don’t know how Mr. Carr knows that since the Windows source is closed – but when discussing security by operating system let’s stop overlooking the most important thing – the defect rate in the kernel and core components.

    1. Terry Ritter

      “The number of defects in an operating system is related to the amount of malware targeting it.”

      I do not think so.

      The number of attacks should *not* be expected to be proportional to the number of systems *or* the number of defects. Attacks are directed at the *single* most popular system, so the malware can be prepared to succeed most often.

      Malware distribution generally finds user systems at random, and then must exploit whatever system it finds. 91 percent of the time that is Microsoft Windows. An attacker would have to be nuts to prepare for any other OS, no matter how buggy it is.

      Currently, it would not be easy to get only those with (say) Mac systems to click on a malware link, or open a malware .PDF file. Even if possible, why bother? Rejecting Windows means rejecting 91 percent of attack opportunities. Preparing for a secondary OS is a waste of time compared to improving distribution.

      Malware attacks are designed for *the single* most expected environment. Even though Windows will be found only 91 percent of the time, attackers will prepare for Windows almost 100 percent of the time, because that will give them vastly better chances of success than any alternative.

      1. Anthony Youngman

        And has been shown with several counter examples, it is JUST NOT TRUE that malware targets the most popular system.

        Apache outnumbers IIS 2 to 1. Yet most web-server malware targets IIS.

        And I’ve just seen figures on mobile-phone malware. Windows Mobile is very much an also-ran in the phone OS stakes. Yet again, most phone malware only targets Windows. If your assertion is correct, why does mobile-phone malware target the system with less than 20% of the market?

        Cheers,
        Wol

        1. Terry Ritter

          “And has been shown with several counter examples, it is JUST NOT TRUE that malware targets the most popular system.”

          Counterexamples must be apples-to-apples. In the current context of banking user OS’s, and malware targeting those users, it is in fact true that malware targets the most popular OS almost exclusively.

          The only real surprise is the “almost exclusively” part. Malware cannot handle whatever machine it lands on. Instead, the malware package must be developed for a particular OS (or environment). Preparing for the most-popular OS is an attacker no-brainer, and that is what we see.

          We do not see malware for Macs or Linux. Examples do of course exist, but it is just not a major direction for attackers, because it is far less profitable. That is not because Mac users have less money, it is because the probability of encountering a Mac user is only 5 in 100, as opposed to 91 in 100 for Windows. To make Macs worthwhile for attack, Mac users would have to provide 18 times as much profit as each Windows user. So what we see makes sense.

          On the other hand, if you have a better model for malware reality, trot it out!

      2. Dark Energy

        The amount of defects in software is related to the number of exploitable bugs – which in turn affects the size of the attack surface. The larger the attack surface, the easier and less expensive it is to develop malware that targets it – and consequently more malware is built for it.

        Let’s assume this relationship does not exist. Then software with millions of bugs is just as secure as software with no bugs. The number of buffer overflows doesn’t matter. However, we know this to be an absurdity.

        Malware does not always target the single most popular operating system – if that were the case then all malware would target Windows – even if Windows only had 51% of the market share.

        No one suggested the relationship between the number of defects and the malware that targets an operating system is proportional – I said it was “related.” Proportional implies a linear relationship between two variables. I don’t believe the relationship is linear – it may very well be exponential.

        1. Terry Ritter

          “The larger the attack surface, the easier and less expensive it is to develop malware that targets it – and consequently more malware is built for it.”

          “easier and less expensive” — True.

          “consequently more malware is built” — False.

          Once past a certain size, every large complex software system has exploitable faults, even after hundreds of patches. For attackers, finding faults is increasingly difficult, yet it is done. Improving security in Microsoft Windows has not reduced the amount of malware, in fact malware is getting worse. These are the facts, the only question is why these facts are the way they are.

          I claim the amount of malware is best understood as having almost *nothing* to do with OS quality or programming difficulty. Malware makes sense when seen as:

          a) a random distribution,
          b) programmed for a particular OS,
          c) to make the most profit.

          Malware has everything to do with profit, which necessarily means addressing the single most-popular OS, no matter how buggy or easy-to-defeat other OS’s may be.

          “Let’s assume this relationship does not exist. Then software with millions of bugs is just as secure as software with no bugs. The number of buffer overflows doesn’t matter. However, we know this to be an absurdity.”

          Since there are no large, complex software systems without bugs, the argument itself is “absurd.”

          The overall security of a large system does not change much, in general, when a particular bug is fixed. System security is the minimum across all attack possibilities. Patching a known vulnerability just eliminates one approach. Attackers using that approach obviously need another, which they always find. As Microsoft continues to patch bugs, we have direct evidence that reducing the number of bugs, thus making attacks more difficult, does not reduce the amount of malware.

          In practice, when a buffer overflow is found, there is a rush to fix it. The question is whether fixing that bug, or another, or even year-after-year of bug patches, actually reduces malware. Surely patching bugs makes malware more difficult to write, so by the argument there should be less, right? Yet after years of Microsoft patching we see malware still targeted at that platform, and in fact increasing for that platform. The facts contradict the claim.

          “Malware does not always target the single most popular operating system – if that were the case then all malware would target Windows – even if Windows only had 51% of the market share.”

          In the context of this blog, the banking user OS arena, virtually all malware *does* target Windows. Indeed, it is that strange fact which is most confusing to those who claim technical superiority for one or another OS competitor. Recognizing the limits on malware distribution and working out the simple profit probabilities clarifies why attackers continue to prepare for an increasingly-difficult OS rather than some other.

          Yes, I do predict that Windows would have to slide almost as low as the next competitor before we start seeing malware seriously turn in a new direction. Attackers will choose the option that gives them the best profit, which almost always means the single most popular OS.

          1. Steve Parker

            Well then, this explains why there are so many hamburger joints in the US, and no Thai restaurants, or Ethiopian eateries, or…..

            Because in a free market EVERYBODY goes where the most money is.

            Sorry, I don’t buy it. The reason for the virtual non-existance of OSX malware may not be the inherent security of the OS, but it certainly isn’t lack of market share. There are millions of Macs in the wild, nearly all of them unprotected by AV, and most of them used by the great unwashed from a security perspective.

            This “market” seems ripe for the picking. I’ve yet to hear an explanation for the lack of harvesters that seems reasonable to me.

          2. Terry Ritter

            @Steve Parker:

            “There are millions of Macs in the wild, nearly all of them unprotected by AV, and most of them used by the great unwashed from a security perspective.

            This “market” seems ripe for the picking. I’ve yet to hear an explanation for the lack of harvesters that seems reasonable to me.”

            Then listen up because you are about to get that explanation:

            The reason Macs are not exploited as a vulnerable group is that malware is generally distributed in ways which do not beforehand know what type of computer OS will be encountered. For example, an email .PDF malware does not know what machine may be used to read it. Similarly, a web-site malware link delivers the same file to any computer running any OS.

            A malware is just a computer program and must be programmed for a particular environment (typically, a particular OS). If a malware program is designed for Microsoft Windows, it will not run on a Mac.

            So if an attacker puts out Windows malware, that has a 91 percent chance of finding itself on a Windows system and achieving success. 9 percent of the time the Windows malware fails simply because it finds a Mac, or Linux or something else, and cannot run.

            If an attacker puts out Mac malware, that has a 5 percent chance of finding itself on a Mac system and achieving success. 95 percent of the time that malware fails because it does not find a compatible host.

            * Which of the malware options, Windows or Mac, is likely to be the most profitable? (That would be Windows by 91 to 5, an 18x advantage.)

            * Is there some ratio of Mac malware to Windows malware that would improve profits? (No. The profit optimum is to have *all* Windows malware and *no* Mac malware at all.)

            DOES THE LACK OF MALWARE FOR MACS SEEM REASONABLE NOW?

  9. Steve Parker

    @Terry Ritter

    Uh, no. That makes no sense. What you are suggesting is that no malware writer would bother trying to exploit what is essentially a niche market. That doesn’t jive with reality in every other area of life, where niche markets are almost always served by someone. And that assumes 10% is a niche.

    Window’s prevalence may explain why it is a favorite target, but it absolutely does not explain the almost total lack of OSX malware, especially when there are numerous techniques for targeting attacks at specific platforms.

    Is OSX harder to exploit? Are malware authors really so myopic (or lazy) that they can’t see the opportunity? Or is something else going on?

    I don’t have the answer, and I’m pretty sure you don’t either.

    1. Dark Energy

      And that’s why it’s important to discuss these variables (popularity, exploitability, etc.) that influence the problem.

      If we could build a model that takes all of this into account then we might be able to predict the volume of malware – and ultimately allocate the optimal amount of resources to counter it.

      Niels Provos has done a substantial amount of research on the number of honeypots it takes to disable worms based on the number of susceptible hosts. I’d like to see something like that for every category of malware.

    2. Terry Ritter

      “Uh, no. That makes no sense. What you are suggesting is that no malware writer would bother trying to exploit what is essentially a niche market.”

      Uh, no. What I am stating is that the malware author does not have the *opportunity* to distribute to a market consisting of a particular OS. In general, malware is distributed to a computer before the OS on that computer is known.

      Perhaps the problem would be clearer if you would describe in detail exactly how you think a malware author *could* distribute their Mac malware only to Mac computers.

      There have been some attempts in this area, even in the last week. Sometimes it is possible to get malware into a Mac software distribution center or on a Mac site, but that is pretty hard and generally does not last too long. The vast, vast majority of malware is distributed at random, which means a single malware program is sent to every possible email address or browser click. Most of that effort is lost unless the malware program is ready to run on Microsoft Windows.

      “I don’t have the answer, and I’m pretty sure you don’t either.”

      Really? You may wish to reconsider that.

      1. Steve Parker

        Browser user agent strings.

        Web based attacks have been adaptively attacking selected targets for years.

        For email, maybe spam all .mac addresses.

        1. Terry Ritter

          “Browser user agent strings.”

          All that can do is *not* send malware to a computer with the wrong OS. So the malware does not run, which is exactly what would happen if it were sent. The only result is saved bandwidth, which the malware is probably stealing anyway. It does not increase the number of infections, which is the money issue.

          The outcome is set when a user somehow goes to the malicious site on a particular OS. That is before the actual browser contact. After that, there is little or no advantage to *not* sending malware to anyone who connects.

          “Web based attacks have been adaptively attacking selected targets for years.”

          Which is, of course, how we know they are relatively ineffective both as a profit base and as a worry for ordinary users. They are fine for intelligence operations, or a special target. They are not the way for malware authors to make money, and they are not the way normal users lose money.

          “For email, maybe spam all .mac addresses.”

          I am dubious. Probably any OS-specific email service will specifically check for broad-based spam. Since Mac malware does in fact exist, we can infer that some reason exists which prevents such distribution, or makes it ineffective. That would not be the Mac computer itself, because we know Macs can indeed be infected.

          Mac infection is normally rare because malware authors generally have a more popular, and thus more profitable, target. However, infecting a few Macs from time to time may be good propaganda for malware authors to keep users on the popular OS. And we may see some periodic development and market testing for the Mac platform.

          1. Dark Energy

            The User-Agent HTTP header can be used to target compatible systems as well as avoid incompatible systems.

            Consider my browser’s User-Agent header:

            User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)

            It’s fairly obvious what operating system and browser I’m using. In this case an attacker might send a Java applet that exploits a hole in Firefox for Windows.

            The site could just as easily not send the applet to a Safari browser on a Mac.

          2. Terry Ritter

            @Dark Energy:

            “The User-Agent HTTP header can be used to target compatible systems as well as avoid incompatible systems.”

            You are missing the point. Identifying the OS a user has does not bring any more users to the malware site. It just handles some of the unattacked remainder, beyond the 91 percent already correctly targeted.

            Adding a second malware can at best increase the attacked subset from 91 percent to about 96 percent. But the added OS will require about the same amount of work and continued development as the first. So attackers have twice the work for a 5 percent increase in profit.

            Attackers can get an equivalent increase much easier simply by distributing more malware. And that requires no added technical foo-faw on invaded pages.

            “In this case an attacker might send a Java applet that exploits a hole in Firefox for Windows.”

            For best security, people should not be using Java, if at all possible.

            Although browser intrusions may not require OS-specific code, they probably will need OS-specific code to infect the hard drive. Then we are back to the dominant OS argument again.

            One alternative might be for an intrusion running in the browser to call home and download and save an OS-appropriate infection. But even if that could be made to work, it could only improve profit by about 5 percent.

      2. Dark Energy

        Selecting a target based on operating system or the type of server software is a common practice for worms.

        It can be very easy to analyze the operating system’s TCP stack to determine both the vendor and version. Some server software will actually report its version to you such as OpenSSL and Bind.

  10. Henry Hertz Hobbit

    Brian:

    It is time to bring this to an end. No matter what the reasons, it appears that Macs and Linux and Unix have far less malware than Windows. As one person said a long time ago, they don’t care why. They just know that if they can shift to using either a Mac or Linux that is something that will reduce their exposure, at least for now. If you ask me, it will be forever. M$ market share and percentage have not changed and never will. It is rock hard solid and stable and will stay that way forever. What puzzles me is this inordinate fear M$ has of Linux when Mac has a much more significant market share. It has been that way for over seven years now since they first stood up and took notice of it.

    But the vast majority of Mom & Pops I go to have software that only runs on Windows. I don’t care how much more secure these other operating systems are. When the software you need to run your small business exists only on Windows you have no choice but to use it. Sitting there discussing this or that factor when that is the case for a small business owner with no budget for creating the vertical apps they need when they already exist but only run on Windows is dumb. All these people want is something that makes their banking secure and they want it NOW!

    Brian gave some acceptable ways to reduce that risk. I support those methods he proposed. The only caveat I have are the following two things (this is just a start – for somebody who has used Unix since the 70s I am appalled by the first one):

    First, I want the Ubuntu team and any other Linux, Unix, or Mac type people to put $HOME/bin or other $HOME excutable folders LAST in the $PATH! This is not negotiable! I want them to change it and I want them to change it now! If you are running from a LiveCD, you can not change this so it is imperative that they get this correct! I am baffled how this which was taught in Unix safety 101 back in the early 80s is being done wrong now.

    Mac owners somehow need to be trained to not use their admin account, and if possbile they will need to create a secondary admin account and then a normal account and use the normal account for everything. The secondary admin account should not even be used
    for admin purposes – it should sit there to clean up a disastrous User infection in you normal account.

    I am trying to stave off the problems that exists on Windows ( “.” is ALWAYS in the $PATH ) on Linux and Macs before the problem moves there. What are the rest of you doing? You are not helping these people who just want to do more secure banking NOW!

    In case you are wondering, I have two Linux distros as well as DesktopBSD on my systems. I also have Windows. I make filters for the Internet and almost never am using Windows to do it. Any further comments to this thread from fanatic Linux and Windows devotees that don’t want to address these small business users will be sent to /dev/null (NUL for Windows people).

    1. Terry Ritter

      “But the vast majority of Mom & Pops I go to have software that only runs on Windows.” — Fine.

      “I don’t care how much more secure these other operating systems are. When the software you need to run your small business exists only on Windows you have no choice but to use it.” — Fine, but not necessarily *on line*.

      “Sitting there discussing this or that factor when that is the case for a small business owner with no budget for creating the vertical apps they need when they already exist but only run on Windows is dumb.” — A bridge too far.

      Not all users need particular apps and also need them during online banking. Many others can adjust the way they work to allow banking outside Windows, while still running the business.

      For most users, the appropriate suggestion is to use a secure platform for banking and do nothing else at the same time. Then, when banking is over, use the insecure platform as needed.

      By “the secure platform” I mean booting from a free LiveCD or DVD on the same computer hardware. Or perhaps on a separate computer, even an old one no longer practical for Windows.

      “All these people want is something that makes their banking secure and they want it NOW!”

      Generally, people who run businesses, even small businesses, tend to live in the real world.

      I believe that Microsoft Windows cannot be hardened enough for online banking by any means whatsoever. So if “they want it NOW” means just adding stuff to the old system because it is quick, that is not going to solve the problem. Waiting for the bank, the banking industry, or government to “solve” the problem will be anything but quick.

      Many people feel security is not worth the trouble, or have decided (probably too quickly), that they are willing to take the risk. That is fine. They can do that. But those who have decided they want real security are in a different group. They should not be using Windows online, and certainly not for online banking. People who want security for online banking should be booting free Linux from a LiveCD or DVD.

      1. xAdmin

        While I understand your reasoning and advocating using a Live CD, I completely disagree that Windows cannot be hardened to be used for online banking. Why? Because I can personally vouch for the fact I HAVE and continue to harden my Windows systems to the point I have NEVER been compromised in ANY way. And, to say, on systems I also use to browse the Internet. I may be the exception so to speak. But, it IS possible, contrary to what you say!

        Even so, I generally wouldn’t recommend so because the majority of people do not have the insight or discipline that I may have in order to so. So, admittedly, a Live CD is probably most effective for them. 🙂

    2. Lynda

      “When the software you need to run your small business exists only on Windows you have no choice but to use it. Sitting there discussing this or that factor when that is the case for a small business owner with no budget for creating the vertical apps they need when they already exist but only run on Windows is dumb. All these people want is something that makes their banking secure and they want it NOW!”

      Fact is, there’s a lot more small biz s/ware available for the Mac than most people realize. If anyone were seriously interested in this, they can contact members of ACN, Apple Consultant Network. http://consultants.apple.com/

      And, though it is correct to say that Macs are more expensive, the entry level desktop is $699. And, one can run Windows on it, in addition to Mac OS X, either on a separate partition (boot camp), or in a VM, using either VMWare’s Fusion or Parallels VM.
      I am *not* advocating this solution for those who truly cannot afford it, just saying that, for those who find Linux confusing, and/or those who have people on staff who know the Mac OS, it is not as costly or difficult as some believe. Maybe it used to be that there wasn’t enough s/ware – now that is really pretty rare. Further, in some cases, such as MacPractice for MDs and DDSs, the Mac s/ware is significantly less expensive than the Windows counterpart.
      Again, Linux, or running a Windows PC only used for banking, may very well be best for many. But this other solution does exist, and it may fit for some.

  11. xAdmin

    Interesting discussion. To me, the low hanging fruit analogy is apt here.

    On the big ol’ software fruit tree, we have all operating systems with a high amount of Windows systems taking up the bottom primarily due to its ubiquitous nature and default configuration out of the box for usability (which is counter to security). Now, if you’re a malware author hungry for profits, are you going to go after the high hanging, more difficult fruit? No, you’re going to go after the ripe ones sitting toward the bottom because it doesn’t take as much effort. As long as there is low hanging fruit, the higher hanging fruit will be left alone. Now, consider that out of the box, by default each OS will sit at a different level on the tree. Then, depending on defensive counter measures, a system will move higher, in effect making it more difficult to pick. In effect, regardless of what OS you choose to use, it’s about risk management and taking appropriate steps to ensure you are NOT low hanging fruit ripe for the picking. 🙂

  12. John Harris

    I seriously cannot believe the number of Microsoft Apologists, Paid Trolls, Seriously misinformed, and/or armchair experts, who it appears, are haunting this forum.

    They all simply fail to understand, or fail to acknowledge, the fundamental differences between a system that is inherently broken, versus any system that is designed not to be.

    Unix, Linux, BSD, Apple OS-X, etc, are operating systems that are designed from the ground up, to be secure.

    They require little effort to make them even more secure.

    Any and all exploits (Minuscule number thereof) are either academic, or require the operator to take leave of their senses.
    Even then, this leave of common sense is not normally granted by the aforementioned systems.
    Fixing the aforementioned problem on a Non Redmond platform is also ridiculous easy.
    Most times, it requires no more than a simple restart.
    More so, more often than not, it must be a conscious, or otherwise, seriously flawed, decision to allow the system to be compromised.

    As compared to the Redmond incorporation’s decision to cater for the least common denominator, allowed near a keyboard.

    My *Nix and Apple clients simply don’t have their less fortunate Redmond Cousins Daily, Weekly, or ZERO day, problems with security.

    This, regardless of any conspiracy theory from Trolls, Redmond Apologists, or others, aside.

    The grand Furhpy that the dark forces of the Internets favors the biggest numbers, of the most common, this being, Microsoft {Anything}, has been proven false, over and over and over again.

    The sad little apoligists should simply accept that their little red wagon is broken.

    Further more, instead of trying to do a King Canute, that is, beating the waves back in a futile manner, they should ask their current chair tossing glorious leader to fix the fundamental problem, in Windows 7, or was that (Severe) or whatever version of Windows N(ot) T(ested), comes next.

    When Microsoft can imitate even half of the Unix/Linux/Apple code base for security, then you can start to boast.

    However, by the time that happens, Linux will have gone from a Twenty percent Desktop Market share, to a Forty percent one.

    Sadly, for the Redmond Fan Boys, they know that Firefox is burning their Web Browser share of the market to the ground.

    A simple check of the logs of the dominant web platform (L.A.M.P.) will show that their Fat Client is being replaced by a very substantial increase in the number of non Redmond (Linux) and Apple OS_X systems, in the client mix.
    This being, by both Web Browser and Workstation (Operating System) choice.

    So, Redmond lovers, deal with it, get your house into order, stop getting in the way of the rest of us, who oddly enough, contrary to some of the propaganda touted in this forum, have more than enough high quality, open source, business grade software, to do what we need, while using Linux, or Apple OS-X, without being exploited.

    As for counting true Market share, this is measured at and by, the Server Logs of the most dominant Server operating system (L.A.M.P.) on the planet, which sadly for Redmond, is not their rubbish.

    Certainly not as as measured by the exit figures from Costo or some other (Redmond) vendors quarterly or annual sales rally.

    1. xAdmin

      I probably shouldn’t even respond as you know what they say about feeding you know what………… oh, never mind! 😛

      Wow! I’ve got to hand it to you. You’ve really nailed it! You owned it! (Although a little pitchy at times). I see the light now. This Microsoft apologist, paid troll, seriously misinformed, and/or armchair expert, Redmond fan boy, and sad little apologist (oh, said that already) is going to take his little broken red wagon to the scrap heap and go out and get a brand new shiny Apple or Penguiny thingy! You know because there are so many “high quality, open source, business grade software, to do what we need, without being exploited” out there now. Oh, oh, not to mention games! Uh huh! ;P

      (See how ridiculous you sound???) And to think you had me at “I seriously cannot believe”. 🙂

  13. Alan

    @John Harris: “Unix, Linux, BSD, Apple OS-X, etc, are operating systems that are designed from the ground up, to be secure.”

    No one has figured it out how to design secure software in the sense you suggest. All software vendors are issuing a constant stream of critical security fixes for operating systems and applications.

  14. Mike

    This is a really tricky thing getting on pc’s that are yourss. Even if you think you have no virus you could easily ahve one. I got this little device http://www.tapdrive.com that i really love. Its a usb drive wit hits own read only OS in it. This little baby is 100% virus proof. You can do on-line banking with ease of mind. for like $50 its so worth it

  15. magicmoss

    Using Mac for a Day Cost Windows User $100,000

  16. Cole

    The best way to prevent this in North America is to use the same system European banks use. Every transfer requires the user to enter a random code from a list of codes (called iTAN) that is given to you by the bank when you open your account.

    It’s just way to easy to get into someone’s bank account here, even a teenager could do it.

  17. Warren

    I haven’t read ALL of the above comments, but enough to conclude that the vast majority of commenters have been blinded to reality. Many of them appear to be rather educated and experienced IT professionals who have aided in continuing to mislead people into thinking that Windows computers are less secure than Mac or . I find that really disappointing.

    The reality is: The most popular OS has the greatest exposure to threat. Virus writers (as sick as they are) want their little release to actually affect some computers, so they will target the most popular OS. Why waste your time on the vulnerabilities of the lesser ones? Yes, they ARE vulnerable.

    Apple (and their faithful adherents) gleefully gloat that Mac is so much more secure than Windows. What a crock. The faithful are so deceived that they use their computers completely unprotected. It’s like believing an automaker’s claim that a car is so safe that you don’t need seatbelts. Fact is, you are driving on the same roads as everybody else, so buckle up.

    The writer of this article and many of you other commenters really need to listen to what you are proposing: Rather than properly protect your Windows computer AND actually learn how to safely use the Internet, you propose that you spend a pile of extra money to buy an Apple computer (which is only a propietary Intel PC these days anyway) for an obscene amount of money IN ADDITION to your Windows computer (which you must acknowlege is needed because your Mac won’t do what you need it to do) for the sole purpose of online banking. Wow. Amazing. And incredibly inconvenient and stupid.

    C’mon, people – buy some decent security software for your Windows PC, sell your stupid Apple and take a course on how to use the Internet safely. Don’t let your kids use your computer unsupervised. In other words, get smart; get real. Quit wasting time and money!

Comments are closed.