[conspire] (forw) Re: New Trojan Spies on Linux Users by Taking Screenshots and Recording Audio

Rick Moen rick at linuxmafia.com
Sat Jan 23 02:04:02 PST 2016 

Quoting Paul Zander (paulz at ieee.org):

> [verify email to mailing list]
> Continuing on Rick's bank robber analogy:  Many banks do pay for the
> described "security" service.   When Bonnie and Clyde show up, the
> security man looks at his photos and lets them in.   Some number of
> heists will have occurred before Bonnie and Clyde are recognized and
> the appropriate pictures are FedEx'd.

Yes, and this is what Ranum calls the 'enumerating badness' problem.

http://www.ranum.com/security/computer_security/editorials/dumb/

  The Six Dumbest Ideas in Computer Security
  [...]
  #2) Enumerating Badness

  Back in the early days of computer security, there were only a
  relatively small number of well-known security holes. That had a lot to
  do with the widespread adoption of "Default Permit" because, when there
  were only 15 well-known ways to hack into a network, it was possible to
  individually examine and think about those 15 attack vectors and block
  them. So security practitioners got into the habit of "Enumerating
  Badness" - listing all the bad things that we know about. Once you list
  all the badness, then you can put things in place to detect it, or block
  it.

  Why is "Enumerating Badness" a dumb idea? It's a dumb idea because
  sometime around 1992 the amount of Badness in the Internet began to
  vastly outweigh the amount of Goodness. For every harmless, legitimate,
  application, there are dozens or hundreds of pieces of malware, worm
  tests, exploits, or viral code. Examine a typical antivirus package and
  you'll see it knows about 75,000+ viruses that might infect your
  machine. Compare that to the legitimate 30 or so apps that I've
  installed on my machine, and you can see it's rather dumb to try to
  track 75,000 pieces of Badness when even a simpleton could track 30
  pieces of Goodness. 

  [...]



Now, if you'll kindly indulge me, I'll comment on your comments.

> Be careful about unfamiliar websites when downloading. 

I'll quibble a little:  Files don't become any form of threat merely
because they come from an untrustworthy source -- or even from an
outright evil and malevolent source, actually.

Before a file even potentially is able to hurt you merely from arriving
on your system, (a) it must be one of a very limited number of special types
of file that (b) you then are willing to process in very particular ways
(and do so).  Both of those things must be true, otherwise there is no
particular need for 'care'.[1]

A 'malicious' executable that you download is potentially hurtful -- but
only if you run it.  So don't.[2]  A 'malicious' Linux distro package is
potentially hurtful -- if you install it, which implicitly runs scripts
within the package.  So don't.[3]  A 'malicious' PDF containing nasty
embedded Javascript is potentially hurtful -- if you run the Javascript.
So don't.  (Only one PDF viewer is even potentially willing to run
embedded Javascript in PDFs, that being Adobe Acrocrud, which you should
avoid installing if humanly possible.  If you must insstall it, you
should either never have it handle files from public networks or disable
the Javascript functionality in its setup screens, or both.  A
'malicious' Java applet is potentially hurtful -- if you run it.  So
don't.  Flash has such a badly designed automation language that it 
can include requests to do scary things that are potentially hurtful --
if you run the Flash code.  So don't.

This notion that files are dangerous as an inherent quality is
pernicious and wrong.  No file is dangerous merely because it's
there.[1]  Files are dangerous if they _do_ danger things.  If you just
make sure that files that _do_ things are limited to the ones you wish
to do things, you can stop being afraid of files.

> Use NoScript to minimize unknown things from running on your
> machine. 

Rockin'.

NoScript also gives you very fine control over the details of what you
choose to allow to run.  It is a very good idea to spend time in the
detailed configuration screens.

> Don't open links from suspicious emails.

I do not agree with the implication that links are dangerous.

I _would_ agree that opening links from suspcious e-mails is very often
an utter waste of time and will take you to some cheesy come-on or scam.
But that is not dangerous.

When you load a Web page by following a link, your browser is sent HTML.
The HTML includes various sorts of requests to do things.  If you have
done an even half-assed job attending to the configuration of your
browser (e.g., not haplessly handing off all PDFs to Adobe Acrocrud with
its horribly dangerous default-enabled support for Javacript), and
_especially_ if you have NoScript enabled and have tweaked its settings,
you have nothing to fear from _merely_ receiving any HTML.

Why?  Because HTML is just a set of requests, and any reasonably
configured Web browser will say 'no' to all unreasonable/unwise requests
in the HTML.  It won't run the Flash animations.  It won't hand off
'malicious' PDFs to Acrocrud.  It won't read and write files around your
dystem.  It'll onlyy be able to be obnoxious in ordinary ways that core
HTML supports.

And you really do not need to be afraid of HTML.  If you do, then you
are doing something terribly wrong with the configuration of your Web
browser, and _that_ is the problem you should fix.


[1] Edge-case counterexamples might include, say, the file is not what
was advertised, but is child pornography.  Your only sane move is then
to quietly and immediately delete that file, as people have been
prosecuted merely for it being on the user's hard drive, and had to
prove that it wasn't there by their intention and knowlege.

[2] Provenance is / ought to be vital for what executables you are
willing to run, and thus also code attestation is vital -- who is this
person, is the code signed, who vouches for the code and the alleged
author, can the signature be vetted.

[3] In 2009, a couple of alleged GNOME screensavers were uploaded 
directly to uncurated site gnome-look.org as .deb packages, and turned
out to 'infect' the systems of utter idiots who downloaded the .debs and 
'installed' them, where 'installed' meant they mindlessly double-clicked
on them in the Nautilus file browser, which brought up Synaptic, which
prompted for the sudo-root password, then ran the .deb's preinst and
postinst scripts.

The idiots in question never stopped to thing there's no reason a GNOME
screensaver should be a deb package archive, nor stopped to think
whether it's wise to install with root authority a package downlaaded
from nowhere-in-particular.

The above example illustrates well, I think, why packages are of concern
and where those concerns arise.

-- 
Cheers,                  QA engineer walks into a bar.  Orders a beer.
Rick Moen                Orders 0 beers.  Orders 999999999 beers.  Orders
rick at linuxmafia.com      a lizard.  Orders -1 beers.  Orders a sfdeljknesv.
McQ! (4x80)              -- @sempf, https://www.sempf.net/post/On-Testing1.aspx

More information about the conspire mailing list