|
|
|
|
|
|
by gkya
3700 days ago
|
|
|
My intuition was that malware attacks were less prominent nowadays. I certainly cannot and will not deny the advantage of OpenBSD in front of malware, and I also cannot and do not ignore botnets, keyloggers, various code injection attacks, etc., but I believe nowadays what's at the highest risk is what we store on others' disks, i.e. the cloud, and what the commoners do, like emailing passwords in cleartext, using clumsy inept passwords, not caring about https, not knowing that one has to block JavaScript, etc. Aren't these more easily exploitable in practice than say a stack overflow somewhere in my programs (not a rhetoric question)? Though I'm no security expert. But I know that it's easier to get the bucks of a 50-year-old first-time-internet-user who's heartly disposed to enter their Gmail password to any box with a Password: label. I know many of them. To many the URL bar is linenoise. "bank.com.hackersdomain.tk"? Some cryptic crap, I don't know what it is, it looks like my bank. The morale is an ignorant user can easily be exploited even on OpenBSD, while a security-savvy user can secure himself even on an insecure OS. Thing is, the former is way more prominent, they're in billions. I don't dismiss advantages to secure OSs, but say that the more important problem is inept users. |
|
|
They are and they aren't. What you're seeing is a combination of economics and improvements in software quality. Economics says they focus on whatever gets them the most zombified PC's since competition drives prices of each individual PC down in black market. To get this, they target apps with most widespread use. This is why almost all 0-days were found in Windows, IE, Firefox, Java, Adobe Acrobat, etc.
Microsoft's SDL & QA tools did them a 180 on code quality. Low-hanging fruit in major apps might be drying up because so many bugs were found. Attackers shifted focus to backend databases via hits on web apps as that's new low-hanging fruit (read: shit security) with huge rewards (eg million records at once) for success. So, it's not that it's gone away so much as not as popular while low-hanging fruit exists for their purposes. Organized crime, esp targeting online banking, plus nation-states continue to find, sell, and use 0-days for malware. It's still a thing except stealthier and more targeted.
"Aren't these more easily exploitable in practice than say a stack overflow somewhere in my programs (not a rhetoric question)?"
Oh yeah. Skilled hackers look for all of that. They'll look for that kind of stuff first since it saves time.
"The morale is an ignorant user can easily be exploited even on OpenBSD"
No argument from me there.
"while a security-savvy user can secure himself even on an insecure OS"
That's been disproven by too many pentests. You can cover lots of known risks but then get hit by something inherent in poor foundation you built on. I liken it to building your castle on foundation of quicksand. Security properties work layer by layer, piece by piece, from bottom up plus interactions with other systems via protocols. I might be able to secure DOS apps but DOS's intrinsic properties might eventually do me in. See what I'm talking about?