[TriLUG] Privileges and Social Engineering

Mike Johnson mike at enoch.org
Fri Jun 11 19:41:25 EDT 2004 

Jeff Tickle [jtickle at jtsoft.net] wrote:
> 
> And if Linux were ever sold pre-installed on computers in a store, this
> could be a first-boot kind of thing.  Nothing functionally changes; just
> the wording, and if the user doesn't know they can log in as the
> "configuration" (root) user, they won't.  It's about wording, and how
> that affects people's ideas.
> 
> Just a thought *shrug*

It's -soooo- much easier than this.  Apple has solved this problem in 
OS X.  It's so simple, it's brilliant.  On first boot, a user is asked
to create an account for themselves.  This is usually their name, and
they get an option for a nickname.  Then, they -always- log in as this
user.  Root is not enabled (OS X is UNIX under the covers, remember) and
this regular user is obviously limited in what they can do.  If they
want to break out of that, they either use sudo from the command line,
or a pop-up screen comes up where they must enter their password. (Yes,
there are still social engineering things that can be done here, but
it's irrelevant, see below.)

Now, all that said, keep in mind that a virus really doesn't need to be
root to spread.  It can do all that just fine as your user.  Maybe add a
little magic to your .bashrc, .profile, .cshrc, .login, etc just for
fun.  It can still read your address book, it can still send mail as
you (for propigation), it can still be used as a zombie to DDoS SCO.
And with its addition of itself into your startup scripts, it won't go
away.  Now, it's not difficult to get rid of the little beasty, and it
can't leave behind a rootkit, but it never needed root access at any
point along the way.

Windows is a target rich environment, nothing more, nothing less.  The
virus that I just described is pretty much how they work on Windows,
with the exception of adding themselves to the system startup.  A virus
like this would also work on Solaris, AIX, FreeBSD, and even, OMG,
OpenBSD (and any other multiuser operating system).  Hell, it could even
work on an SELinux system.  All it takes is an email that says 'hey, run
this attached script'.

Mike
-- 
"If life hands you lemons, YOU BLOW THOSE LEMONS TO BITS WITH 
 YOUR LASER CANNONS!" -- Brak

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20040611/367ad107/attachment.pgp>

More information about the TriLUG mailing list