November 06, 2006
Hot or Not Part Deux
In case you've been following along, I promised last month to keep on top of SC's "Hot or Not" feature. Well, I'm a bit late to the party (seeing as how it's November and the column came out in late October,) but at least I didn't miss it entirely. Anyway, this month eEye founder Marc Maiffret posits that wireless card attacks are not hot; saying instead that they are just hype - nothing sums up his take better than this selection:
Do we all really believe that the next major wave of identity theft attacks is going to happen by Eastern European hackers flying to the United States to sit at your local Starbucks and hope that someone with the correct vulnerable wireless card driver is going to fall victim to their scheme?
Now, in my opinion, Marc's half right - or how about "right from a certain point of view." Here's what I mean: everything Marc says about the attack is 100 percent true: it's not being particularly likely to occur, it's the least of your worries at the local Starbucks, and it not any more technically interesting than other kernel-level issues already documented in other products. All true. So, judged solely on the merit of the bug, I would tend agree with Marc; the panic associated with this issue is way out of line for the threat. But there is one area where I think we do need to move beyond the merit of the bug to determine "hot vs. not" status - namely the Mac community's response to it.
Now I've learned the lesson that saying something negative about Mac security signs you on for the flame email barrage, but just for the record, let's not forget the following:
- MacWorld denied the existence of this flaw
- Public laims were made that the BlackHat demo was entirely fabricated
- public Assertion appeared in the press that the demo was rigged
- Apple still hasn't given full credit to the researchers
So, while I agree with Marc that this isn't the worst thing in the world from a security perspective, I think it makes for interesting fodder for discussion nevertheless.
Posted by Ed at November 6, 2006 05:35 PM | TrackBackYeah, the Mac community can certainly react violently and passionately if you insinuate the wrong thing, especially in security.
I think the topic is actually hot. Like last year's Lynne/Cisco debacle, this year's biggest waves were centered around Apple's wireless non-vulnerabilities. It sparked outrage by the Mac community, security researchers, full-disclosure debatists, questions about media/blog news accuracy and FUD, and so on. The fact that a number of wireless drive patches have been released this year illustrates the impact.
Granted, Marc is correct that the local Starbuck's may not have attackers sitting there waiting to hack a system, but there are two important things to remember.
First, it does not have to be a low-population wireless hotspot. Go to an airport and unleash a worm that exploits those holes. I think that would make some news headlines. Will it occur? Perhaps not, but then again all it takes is some mischievous people to try it. While this takes some physical proximity, it is still a largely anonymous attack which so many script kiddies latch onto.
Second, while organized crime may not realize huge returns from posting a guy at a Starbucks, that won't address local criminals. There have been incidents where someone has MITMed connections at hotspots and done various other things to just get a few hits. South Africa has experienced this quite a bit of late as well. Just like it might be game for someone to hack a neighbor's WEP just for the heck of it, or sniff at a local hotspot just to see what comes up without any real malicious fraud goals in mind, so too could someone fire off driver exploits and cause some confusion and havoc.
Lastly, though, our culture is becoming increasingly mobile and isn't going to stop, really. As organizations continue to adopt laptops, we need to be able to trust those platforms to remain secure. If laptop wireless is basically rootable or so very easily DoSable, we cannot trust those platforms anymore, and opens up all sorts of legal gaps and deep problems.
Anyway, that was far longer than I intended, and I certainly mean nothing heated or passionate in my comments; just discussion and another viewpoint is all. :)
Posted by: LonerVamp at November 7, 2006 12:04 PMLonerVamp,
There definitely is a cult of Mac. I actually have a Mac (I use a Windows machine for work, but the computer that I use most often is a Mac) and I'll tell you - I don't think that Apple has done themselves (or their user community) any good by fostering the impression of invulnerability when using one.
For example, there are quite a few people who believe that Apple responds faster to security issues than other vendors. This is the marketing. Folks who have done the math though, know that it isn't accurate marketing - in point of fact, Apple is consistently slower to respond to security bugs than other vendors. I've posted about this here
http://www.securitycurve.com/blog/archives/000287.html
and here:
http://www.securitycurve.com/blog/archives/000357.html
but other people have done a better job of covering it in more depth (other folks have treated it as research.)
Anyway, if it were me, if I lived next to a Starbucks, and I wanted to cause some trouble - I'd probably write a script to 0\/\/n machines that drift by who happen to be vulnerable to the card issue. After a few days of the "passive attacking", you'd probably have a dozen or so machines for a goodly-sized botnet. All with little risk to yourself and without doing much work. Of course, I don't live near a Starbucks, and I probably wouldn't do this even if I did... but the fact that somebody could do it is food for thought.
-E