Posted on 02/08/2018 6:16:47 AM PST by Voption
A survey of computer security experts confirms that they generally consider Linux superior to either the Windows or Apple operating systems when it comes to security....And if you want to try out Linux, all you really need is a spare laptop or desktop, one or two years old, that you aren’t using any more, and to then follow the instructions provided here on Behind the Black by reader James Stephens for Getting and Installing Linux."
(Excerpt) Read more at behindtheblack.com ...
That is wrong. Notice I said "desktop users." Linux has a far greater install base than Windows does when you account for Internet servers, routers, appliances, web sites, super computers, etc. The sheer volume of Linux installs in the wild would boggle your mind and dwarf anything Microsoft could scrape together.
Besides that, the OSes are NOT equal. Linux attack vectors are not the same as Windows attack vectors. Linux not only has far fewer, but they are much more difficult, if not impossible, to utilize. Take, for instance, Red Hat's Atomic Host. It's built on entirely open source code. Yet I can put a basic, vanilla install out on the internet, and no one will be able to get into it. It's impossible, providing the sysadmin does not give out the username and password (but that's not an OS issue). 90% of the OS is read-only. There are no tools to install software (except for one, and that tool is not shared among other flavors of Red Hat), there is no way to add users. Heck it doesn't even come with a firewall. But it doesn't need it.
More apps = more avenues for hacking.
There are many more apps written for Linux than Windows. Granted, not many (comparatively) are games, so most people don't hear of them. But the sheer number of applications on Linux means that even those expert in the OS probably have not heard of most of them. Number of applications != more attack vectors.
Most people not familiar with Linux believe the lies they've been told about hacking and vectors that the media puts out. 90% of what they say is not true.
No, Linux machines run many of our financial institutions and they are FILLED WITH MONEY. . . Getting into a Windows machine, the best you are likely to be able to do is to get it to send you someone's credit card info, get into their bank account and get a couple thousand. If you can hack into a Linux computer you can get one to send you billions of dollars into a bank account of your choosing from which you can send it elsewhere.
Trust me, I know. Someone hacked into the CREDITCARD SERVICING COMPANY after creating a credit card account in my company's name several years ago. They opened a business account in my company's name with Capitol One and then proceeded to start processing stolen credit cards using that set up. We only found out about it when a woman in Massachusetts called me to ask why a dental office in California was charging thousands of dollars to her credit card. Since we weren't I started trying to track it down.
By the time I was finished I had a stack of paper 18" tall, had involved the Federal Trade Commission, the US Department of Justice and Department of State (the miscreants were using an ISP in Canada for their email and even though they had our address, name, and other specifics, refused to talk to us because the person's whose name was on the account —bogus name— was NOT anyone who worked at our office, without a Canadian Court order), the Federal Trade Commission, the FBI, the local police, Massachusetts police, Police in New Orleans (Federal One), the California Public Utilities Commission (the Crooks had hijacked a Windows computer on a CELLULAR TOWER outside of Modesto to host their fake version of our company), the FCC (the Cell tower computer), and several other Federal Agencies. . . because they had done something they all though was impossible: The money NEVER REACHED Capitol one's bank account they'd opened. That was opened just to get the servicing account in the first place. The money was intercepted in transit inside the bankcard servicing company's LINUX SERVERS and redirected ELSEWHERE! THAT had the banking industry in a tizzy fit. That was not supposed to be possible.
The upshot was that we were just a tiny fraction of the fraud that was going on (we caught it early from that lady's phone call) and the dollar volume that his us was only $32K and change, but the crooks were already over tens of billons of dollars doing the same thing using other small business' names who did NOT catch it. WE DID. . . and brought the thing to light. . . Oh, incidentally, they were using our CREDIT CARD MACHINE's PHONE NUMBER. . . one that most businesses don't even know. . . as a phone number for their business. How did they get that?
The point is that they were hacking into Linux servers to steal BILLIONS... and they were never caught. They were stopped. . . and the particular vulnerability they were using was patched, but that's where the money is, in UNIX and LINUX servers.
+100
“In Unix systems it is a little better because of the hash that”
I see what you’re saying. A computer needs to have something inside of it so it knows when the correct password is typed. That “something” is the password that has been encrypted (hashed).
Hmmm. So if the hacker knows how this encryption scheme, and can find the encrypted password within the computer, he can compute the correct password.
The password thing is one aspect of hacking. The other aspect is a hacker getting harmful programs executed in the computer. This aspect is the biggest problem for me at home - something happens and all of a sudden my computer is messed up. Or maybe it’s having harmful stuff put into the registry, or having my browser messed with.
Would largely agree with that. I'm willing to accept the marginal difference in security on Linux as a trade-off for the added flexibility I get with it.
Problem is a computer has to run executables. Otherwise it’s useless, and if you’re going to allow executables, well you allow executables. Some of them might be bad. And in this modern world some of those executables are coming from the internet. Your method means there’s no Office365.
Breaking a hash is called cracking and if you do a search on the Internet for a "cracking rig" you will find instructions on how to build one.
You also have the correct understanding about hashes or as you said "encryption scheme". While it is not possible to reverse a hash like you can reverse an encryption, the password can still be found by trying multiple attempts and once the hash produced by the attempt is the same as the hash from the system, you now know the password. Kind of reverse guessing.
I would point out that passwords are used in many different areas including WiFi, VPNs, routers, switches, and other infrastructure. These passwords can also be cracked off line if the hacker is able to obtain a copy of the hash.
I would also point out that users are not as clever as they think they are and often use the same passwords that other people use. "password" becomes "Passw0rd" and they think that hackers dont know this. Silly user, we have lists of passwords (called dictionaries). In fact, it is so common that I have sent up a special offering to banks where we can now search for a password from a whole bunch of dark web dictionaries. Several million passwords and variations on passwords. If I find the hash, I tell the bank that users xyz needs to change their password. Scares the hell out of security guys when I tell them that 10% of the list of user accounts have weak passwords.
You are also correct about the user being the weakest link. I cant tell you how many times in my walk through, I have used my cell phone to take pictures of a work area / pc and have the passwords written down beside the computer.
Viruses and malware are another issue but in most enterprises, this is becoming less of a threat as anti virus programs are making this more difficult. Still have problems with the phishing attacks and users clicking on unknown emails. Dont even get me started on the vishing (voice calls).
Yup. Hacking windows is the criminal equivalent of a mugging.
It's worth noting that when Microsoft wants to deploy a world-class hosting service (Azure), they use Linux not Windows to implement it.
Sorry. That's not how it works. The type of has used is know as a 'one-way hash'. Knowing how it works (or even having the source code to it) does not help you in determining the password. A well-designed hash has a very low incidence of collisions, meaning that it is very unlikely that two different strings will produce the same hash. When you authenticate on a Linux (or Unix), the password entered is run through the hashing algorithm. The result is compared against the stored hash of the password. If the two values do not match you are denied access. The password itself does not exist anywhere on the computer in an unencrypted form. There is know known way to reverse the hash process, i.e., to take a hash and determine what the plain text was that generated it.
Below is an example of use of the 'md5' hash in use. Md5 is not considered particularly secure, because collisions have been created for it. You'll note that the hash is always a fixed length regardless of the input. This is one great property of a hash, IMO, as you can generate the hash of any file, and it will always be a string of a known size. You'll note that making the tiniest change, completely changes the resultant string.
$ echo "This is a test" | md5sum ff22941336956098ae9a564289d1bf1b - $ echo "this is a test" | md5sum e19c1283c925b3206685ff522acfe3e6 - $ echo "this is a tesT" | md5sum d89f65eae2a4819b989ce6de41c2b3e0 - $ echo "This is another test of a greater length" | md5sum 5c0b624027ee25c611140baf48dc745a -
I've used security programs in the past that would compute a hash of every file in specified directories on a computer. This program is run periodically. If any file from certain important directories changed, it would flag that change. This is actually a very good way of validating the integrity of a system that is in a known good state.
Getting a copy of the hash can be a real bear on some systems. iOS for example, and now on the newest iMacs, the hash is kept inside a Secure Enclave which is unreachable from outside, and is not even touchable by the device's own data processor. It is only accessible by the devoted encryption processor which is INSIDE the Secure Enclave. The passcode that is used to actually unlock the encryption on the device is not even the passcode that hash, but that has is used only as one part of four pieces, three of which are unique and each of which are also stored on that Secure Enclave and basically undiscoverable without destroying the device. Incidentally the algorithm which creates that hash is ALSO buried in the Secure Enclave.
The ONLY way to get to those data in the Secure Enclave is by a technique called Electron Microscopic Shaving. . . which is destructive. It using an Electron Microscope to read the domains of the multi-layer memory inside the Encryption Processor in hopes of locating, recognizing, and then reading accurately the HASH, the environmental record random number generated when the passcode was first entered, and the hard coded Universal Unique Device Identifier randomly burned into the silicon when the processor was manufactured, as well as the Model ID, the four components that are used by a hidden algorithm that actually DOES construct the 256bit AES KEY to unlock and decipher the data on the device. Oh, did I mention, you are going to have to FIND that algorithm as well? All without scrambling adjacent magnetic fields by spill over of the microscope's Electron Beam. . . which is at best only 90% accurate on LARGE, single level traces? I've not heard of it being successful on multi-level ICs, yet.
“anti virus programs are making this more difficult”
Do anti-virus programs block incoming messages based on a database within the anti-virus program of prohibited messages? And it lets anything through that doesn’t cause a hit in the database?
That doesn’t sound like the best of ideas. It’s bothers me that you need to get updates to your anti-virus program.
“Sorry. That’s not how it works.”
Interesting. I get the concept. A hash is sort of a checksum, huh?
And it really is not MALWARE, Garth Tater. It's a bug that merely CRASHES the iPhone. Nothing runs, nothing malicious happens except a denial of service until the user restarts the device, and NOTHING is running afterwards that harms anything. Once it does its thing its over with.
The description I was giving you was for a Mac, not iOS. . . it's not a Trojan one has to download, install, or run. It's a data overrun vulnerability that does not run any executable and cannot. Nice try. No banana.
No, it is not. A hash is a numerical code that is created from the password or passcode that is entered by the user. It is usually a one-way result of an algorithm that is a representation of the passcode that can be compared against a stored version that was created earlier. A hash may include alphanumerical characters and symbols. The algorithm that creates it will result in the same unique results every time that the same input is entered, but never create a similar result for any other input. Even a single character change in the input would make a drastic change in the output of the algorithm that would provide ZERO information to determine anything about how that single character change affected that result. For all extents and purposes, the result appears random.
A check sum will result in a similar result that can repeat with multiple inputs. It could be said it is a crude example of a hash, but only in a very limited way. Check sums are not random.
It is almost exactly like a checksum. :-)
The following are all various hashes of the same input. Generally today most folks up on this kind of stuff consider a checksum, md5sum and sha1sum to all be more or less broken because ways have been found to force collisions in them given today's CPU power available. Naturally, the more complex the hash, the longer they take to execute. As such I can see a place for md5 and sha1 for applications that do not require a great deal of security. If you want to be safe though you'd go with sha256 or sha512.
$ echo "This is a test" | cksum 528700049 15 $ echo "This is a test" | md5sum ff22941336956098ae9a564289d1bf1b - $ echo "This is a test" | sha1sum 3c1bb0cd5d67dddc02fae50bf56d3a3a4cbc7204 - $ echo "This is a test" | sha224sum 630bc085ac64cd003b1d533cd77b438a1a0aa14b9d45d697b71d1c46 - $ echo "This is a test" | sha256sum 9d63c3b5b7623d1fa3dc7fd1547313b9546c6d0fbbb6773a420613b7a17995c8 - $ echo "This is a test" | sha512sum 62f1c73922ba448579d9229f932e747c23d53400a6fb826c6ea5f478247420c62b681cd636840e0ae8556bcde856a24c0123c501aa3967c42530e3be8cb6de75 -
Pen testing and password cracking are two different things. Unless you can show a way to get the password hashes without insider access. But once you are a rogue insider then you have everything, cracking passwords is just gravy.
I don't think anyone really should have issues with security at rest (e.g. leave your laptop or phone on the train) but certainly having recent apple products or windows with TPM will keep your data safe. The problem is more about how to stay safe while the computer is active and you are running programs. In that case the cluttered kernel on Windows is a detriment, still processing attacker-controlled data. In particular windows systems support all kinds of third party hardware with crappy drivers.
That's not the case with Apple or Linux, in Apple's case it's Apple's hardware and drivers, and in Linux there is not much support except open source which can be vetted. Further as Swordmaker pointed out Apple now has System Integrity Protection so critical files cannot be altered by root. (one minor point, generally most Linuxes also disable root by default, but that's obviously not enough).
Several ways to get hashes. Here is a small example.
http://www.hackingarticles.in/4-ways-capture-ntlm-hashes-network/
https://blog.rapid7.com/2016/07/26/capturing-credentials-on-an-internal-network/
And for capturing hashes off of wifi:
http://www.kalitutorials.net/2014/06/hack-wpa-2-psk-capturing-handshake.html
One attack method involves building an extended range cantenna (https://www.wikihow.com/Make-a-Cantenna), then sit outside if the target in a parking lot or nearby location, use a wifi app that shows the signal strength, then set up the cantenna for the attack.
Use the above wifi hash capture to get on the network via wifi. Once on the network use one of the first methods to capture the hash during the login.
Other methods us directory traversal attacks to read files from backup directories. I have even seen admins save configuration files for network equipment on local windows boxes and these file (cisco configurations in particular) often have the hashes in the file.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.