[LINK] Security and Platforms generally ...

Dr. Bob Jansen Bob.Jansen@turtlelane.com.au
Fri Nov 15 05:59:45 EST 2002 

Might be something for an organisation like CSIRO to take on board. 
Anybody listening CSIRO?????

bobj

At 15:46 +1100 14/11/02, Frank O'Connor wrote:
>Yo Linkers ...
>
>The issue of security on different platforms has raised its head in a
>number of forums and publications of late (eg.TechWeb, Internet Week,
>Network Computing, Newsfactor, ZDNET and others are currently
>covering it) and a number of 'studies' have appeared from different
>sources that promote one point of view or the other ... and I thought
>it may be useful to cover the issue in Link.
>
>We also have (as sources) bodies like SANS, CERT and others that
>maintain a pretty good database of security violations. On the a more
>mercantile front we have commercial sources like Symantec that
>maintain pretty cool vulnerability databases of their own on the OS's
>and platforms they serve. We also have peripheral consultant bodies
>and industry funded bodies (who's impartiality I don't trust for a
>second) that put their 2 cents worth in. (Mi2g, Gartner, Aberdeen etc
>etc)
>
>With respect to security problems generally, the general consensus of
>opinion seems to be along the following lines (and in order of the
>degree of the market they hold):
>
>Microsoft OS's: Problems with technologies like VBScript, ActiveX and
>the Win32API - which offer multiple attack vectors. A high number of
>viruses and worms that attack using same. Relatively easy to generate
>hostile code. Few 'damage control' mechanisms (file,
>directory,process and other protection) for infected systems in the
>OS generally, relatively open network configuration in standard
>install. Incident incidence likely caused by degree of the market it
>holds, structural vulnerabilities in COM, ActiveX and the Win32API,
>relatively unrestricted VBScript permeability and the predominance of
>default MS setups and installed applications. Windows.NET
>should/could change this radically, and provide a degree of security
>that is probably in line with most UNIX variants. More than 65000
>known viruses - binary and macro/script, 200 odd worms, 300 odd
>network based attacks on the OS and different applications.
>
>MacOS 9 and it's predecessors are usually regarded as pretty secure.
>Like all OS's it is vulnerable to worms. Viruses on the other hand
>have to surmount three factors that pertain ... the huge number of
>documented and undocumented traps in the OS, the rather primitive
>file protection many of these traps instill, and the thousand of
>erros based in error trapping which will usually generate an error
>message prior to overwriting files and the like. AppleScript offers
>the possibility for script based viruses (if the script virus can
>evade all the traps) ... but in general all the script based viruses
>which inflict the macintosh are those that pertain only to MS Office
>on the Mac. (Don't use it ... and you don't get them.) Networking
>security is good simply because the Mac converts externally received
>packets into its own AppleTalk packet type on receipt ... which makes
>TCP/IP control based attacks relatively ineffective. The low virus
>incidence is also affected by the relative market position of the
>Mac, and the lack of any 'standard' installs of OS and applications.
>Note: any security the Mac may have was not the result of any efforts
>or intent by Apple - it simply happened as a result of the way the
>MacOS evolved. 7000 odd viruses - 40 binary and 6960 MS Office Macro
>viruses (which are a non-issue if you don't use MS Office) - but none
>of the system destroying ones or the e-mail viruses, 2 worms, no
>known network attack vectors other than Denial of Service - but then
>I wouldn't consider MacOS 9 a server operating system anyway
>
>LINUX. Problems with various applications, DOS attacks and the odd
>virus and worm. Like UNIX has a high degree of file, directory and
>process protection inherent in it - and can limit the damage in more
>malicious attacks quite effectively. Some critical server elements
>and files can be easily corrupted or installed in malicious variants
>if one doesn't use a trusted update process, and those overseeing the
>update process don't do their jobs. Across the whole LINUX family ...
>bout 40 known viruses, 5 or 6 worms, and maybe 200 odd network based
>attacks - centred on different server applications.rather than the OS
>generally.
>
>UNIX (variants include Solaris, MacOS X, SCO and the like). because
>of it's market position (primarily as a server rather than client OS)
>you don't see too many viruses or worms directed at UNIX. Those that
>do hit it more often than not run into its file, directory and
>process protection and fail to do any significant damage. I suppose
>the bottom line is that UNIX was designed from the ground up as a
>network operating system, and has had 30 years to mature. There are a
>number of worms that have been directed at the platform over the
>years ... including a couple of quite famous ones! ... but by and
>large malicious code which attacks UNIX tends to be on the networking
>and/or network applications side of things. This may change as the
>UNIX platform shifts into a client role with MacOS X and the like.
>About 10 worms across the platform, I don't know of any viruses (very
>few), and 300 odd network application attacks.
>
>MVS and other mainframe OS's. Get real ... who is gonna write and
>install the code and how would they distribute it in a hardwired
>mainframe world ?
>
>Even numbers can be deceptive however ... because with security what
>it really comes down to is damage potential. For example an attack
>that buries a server application (like an e-mail virus that hits
>Exchange Server, or buries Sendmail in receipts or whatever) can have
>effects on a vast number of users and enterprise processes over and
>above an attack on a single client. Attacks which can actually trash
>hardware (and there are a number of viruses in the past which have
>actually done this) must be considered more economically damaging
>than attacks that don't. Attacks which wipe precious data are more
>damaging than those which simply zap application code. Network DOS
>attacks are more damaging than other network attacks ... and
>particularly galling given the fact that the victim's server isn't
>the one which has been infected with the attacking code!
>
>I suppose what I'm getting at here is all these simplistic studies
>seem to be marketing directed and don't really address the issues.
>For example, MS could say in terms of Internet servers they only hold
>about 30% of the market ... therefore an attack that hits MS servers
>is only 50% as serious as one which hits UNIX servers (which holds
>about 60% of the market.). LINUX advocates could argue that since
>only about 10% of Internet servers are LINUX based, a BIND
>vulnerability which affects them is not as serious as one that nails
>MS and UNIX variants of the same application. The bottom line that
>the possibility (nay the probability!) of different commercial (and I
>suppose ideological) twits putting their own Spin Doctor emphasis on
>whatever they say depending on whom they're talking to and what they
>want to sell is inordinately high.
>
>What I'd really like to see is some security assessment methodology
>that considered the following weighted aspects ... and was applied
>rigorously across systems:
>
>1. Incidence (of the affected cod on the network, in the distribution
>system etc)
>2. Damage quotient (based on the extent to which it damages hardware,
>OS, software or whatever components of a given system)
>3. Economic cost (individual - for damage, data loss and the like)
>4. Network effect (purely based on the effect it can/could have on
>network performance)
>5. Contagiousness (estimated number of vulnerable systems)
>6. Distribution (number of individuals with affected systems)
>
>There's probably a number of other aspects that should be considered
>(and sub-aspects of the ones I mentioned) that I haven't considered
>here ... but if we used weighted scorings we would be able to better
>determine the relative seriousness of threats ... and our threat
>analysis would be much more effective.
>
>At any rate, I just thought I'd throw that out there and see what
>Linkers thought. I mean this topic keeps coming up in one way or
>another and it usually degenerates into 'much ado about nothing'
>after a few weeks ... but in between it often generates a wide degree
>of interest.   :)
>
>				Regards,
>_______________________________________________
>Link mailing list
>Link@mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link


bobj

Dr. Bob Jansen
Managing Director,
Turtle Lane Studios Pty Ltd,
Physical: 1 Turtle Lane, Erskineville, NSW 2043, AUSTRALIA
Postal: PO Box 26, Erskineville, NSW 2043, AUSTRALIA
Phone & Fax: +61-2-95 19 99 85
Mobile: 0414 297 448
Email: Bob.Jansen@turtlelane.com.au
WWW: http://www.turtlelane.com.au/

____________________________________________________________

Go to http://www.turtlelane.com.au to see how we can help you with
* Events On Line - web sites utilising streaming video and audio
                                synchronised with images and text
* Information Architecture - planning and designing your information system
* Electronic Publishing - publish your digital content to its full 
effectiveness
                                            and not just electronic paper
* HACKER ALERT - a system for protecting your web site against 
hackers and site defacement
* SWOTRecorder - a program to assist you in recording the results of 
your SWOT analyses

More information about the Link mailing list