The Desktop Security Battle May Be Lost 389
Trailrunner7 writes in with a Threatpost.com article that begins: "For years, security experts, analysts and even users have been lamenting the state of desktop security. Viruses, spam, Trojans and rootkits have added up to create an ugly picture. But, the good news is that the desktop security battle may be over. The less-than-good news, however, is that we may have lost it. Jeremiah Grossman, CTO of WhiteHat Security, said Thursday that many organizations, particularly in the financial services industry, have gotten to the point of assuming that their customers' desktops are compromised. And moving forward from that assumption, things don't get much prettier." It goes on to speculate about home routers being targeted and infected.
Does it matter? (Score:1, Insightful)
They'll just use it as an excuse to sell 'identity theft' insurance and dump more
liability onto the customer. Their security isn't much better. PCI specs aren't
nearly good enough and evven if it was it wouldn't matter considering the way they
handle data security. Using regular post to send CDs of customer records unencrypted,
laptops lost and data breaches. Chip and Pin is a joke. Contactless transactions are worse.
They really dont care as long as it doesn't cost them much and they can dump most of the liability onto us.
They should never have trusted customer machines. (Score:5, Insightful)
> ...many organizations, particularly in the financial services industry,
> have gotten to the point of assuming that their customers' desktops are
> compromised.
They should have been assuming that all along. They should assume it even if only a tiny fraction of their customers' desktops are compromised.
The most amazing part... (Score:3, Insightful)
of this alarmist drivel is that there are only 2 adds on the poster's page.
-Rick
Re:Security is as futile as DRM. Of course we lost (Score:4, Insightful)
If it is a truism that DRM is futile because it will always be defeated, then it is also a truism that Security is futile because it will always be defeated.
What? No.
DRM can always be defeated because of its design. If I lend you the key to my apartment so you can go in and borrow some sugar or something, there's nothing I can do to stop you from cleaning out my apartment and skipping town. But to claim all locks are futile because of that is just retarded.
DRM can always be defeated because the "attacker" is exactly the same as the user, and you're already giving them everything they need. That is a system which is fundamentally flawed. Real security is where you don't give the attacker your keys, passwords, etc.
It is theoretically possible to build a completely secure system, from a technological standpoint. The vulnerabilities are either physical weaknesses (you could just run off with my laptop) or people. There are also vulnerabilities from sloppy coding, but these have very little effect against users with good security habits.
Sure, it may never happen, but if so, that's because we'll always make mistakes. A completely secure DRM scheme is actually a logical impossibility, even if no one makes any mistakes.
Re:And this is why... (Score:5, Insightful)
The fundamental security model of Linux is no better than that of Windows. The main reason Windows gets nailed is that it's more profitable to write malware for Windows than for anything else. If Linux had the market share of Windows, it would have as much, or nearly as much, malware.
In either Linux or Windows, being able to run any code at all gives you essentially complete access to the user's data, plus almost unlimited access to system resources, plus the ability to talk to the network. Who cares if you're not running as root if everything interesting is owned by the user's account?
There are ways to make systems more secure, starting with strong containment. How strong? Strong enough that your program can't even express the desire to, say, open a file that the user hasn't given it a capability for. Strong enough that the user has to jump through hoops to give certain programs access to certain data. Especially programs with network access... which need to be only the programs that actually need it. Strong enough to subdivide lots of functions that people are used to putting together in the same process. Strong enough that you can forget about most of the APIs you're used to coding with. And, if you're going to run apps out on the network, that whole system has to extend out into the network as well.
On top of that, people ought to be using tools that make it a lot harder to express common security bugs, and that help you to notice when you've created others.
If this is to be fixed, users and programmers are going to have to change the ways they do things. I'm not super optimistic.
Linux helps not at all. Even OpenBSD wouldn't help much.
Assign responsibility to those who can do.... (Score:5, Insightful)
We need to assign responsibility to those who can do something about it.
Every day, my firewall emails me a list of port scans against it, sorted by IP address. Most days that list is just under 100 different IP addresses scanning me, some days it is in the thousands of IP addresses - from all over the Internet (i.e. not just local addresses). This is on a residential DSL connection that offers no services to the world, isn't linked to by any web sites, and does not respond to any unsolicited traffic.
It seems reasonable to assume that most if not all of those IP addresses represent infected machines. Were there some way to get them shut down, imagine how much cleaner the Internet would be. However, there IS no way to do so: the ISPs hosting those machines don't provide any meaningful or automated way to report them, there is no way to contact the owner of those machines, so they just keep on spewing and infecting the rest of the system.
Nor will ISPs ever provide an automated way of reporting such machines as things stand now: a reporting mechanism is an internalized cost, and there is no reason for an ISP to internalize that cost when they can externalize it to the rest of the Internet.
This is one of those rare cases where "there ought to be a law" is a reasonable response: were ISPs required by law to investigate abuse reports and disconnect infected clients until those clients are cleaned up, the number of infected machines on the Internet would be reduced, the profit margins of the bot-herders and spammers wiped out, and the system would clean itself up. However, such a law would be fought most vigorously by all ISPs precisely because it would be internalizing a currently externalized cost, and it would be worth vastly more to ISPs to prevent such a law than the cost of lobbying against it.
(NB: "repeatedly submitting false abuse reports" is itself abuse, and should also result in the source of the false reports being shut down).
"Trojan/Worm/Virus" credits, anyone?
Sweeping Conclusion (Score:5, Insightful)
I disagree. Even working at a university, it completely depends on how you run your show. The department I'm part of has a border firewall, client firewalls, no one runs as administrator, antivirus, spyware, malware checkers are run on a regular basis. More important than any of those: we spend time to educate our users on security. They know what to avoid in terms of phishing scams, never to give out passwords to anyone, what to look for before you click on a link in an email (or even a website), etc.
To say the desktop war has been lost because the company you talked to has sucky IT and suckier IT clients...is just dumb.
It's a matter of convenience (Score:4, Insightful)
Re:Though the Times They May Look Grim ... (Score:5, Insightful)
teach them not to click yes blindly to every pop-up box without reading it, teach them not to fall for every phishing attempt under the sun
You cannot teach them something they do not want to learn. Users don't want to think about the pop-up box they just want it out of the way. Unnecessary dialogs have trained them to just click Yes or OK and get on with what they were doing. Horridly lengthy and unreadable EULA's have trained them to just scroll down and click Accept. Installers with too many pages have trained them to just keep clicking next till it says it's installed (something those insidious toolbars that are checked on by default take full advantage of).
Re:And this is why... (Score:2, Insightful)
you are quite a jokester, sir.
The differences in how to gain administrator access do affect up front security requirements.
It's not about profit, it's that windows gives people administrator by default (and you can still enable it in Windows 7).
iexplore.exe is asking for administrator access. grant forever/don't ask again? Way to go, giving viruses admin access. It happens all the time.
The rest of the security is no different in most scenarios whether windows or linux. However, on this front, UAC doesn't do squat (especially when you can get around UAC).
Re:This again? Really? (Score:3, Insightful)
I hate Apple. And I don't own a single Apple device. Not a computer, not an iphone, and I never will (I only use Free Software). But I was talking about a friend's computer. And what I said was absolutely true. The machine has a 1ghz processor and 1 gb of ram. Try running windows 7 there.
You are a poor troll. 3/10.
Surely not (Score:2, Insightful)
The practice of using a single privileged account for everything - banking, reading slashdot, downloading porn - may be doomed, and about time too. But I still think there's hope for using a single piece of hardware and a single network. Even if it comes down to using not just separate accounts, but separate cores, for play and work. Last time I looked (a while back) some CPU manufacturers were adding features for process separation but the OS had not yet implemented support. End-to-end encryption should protect your data in transit, if not your usage pattern, though there a a few things to fix in SSL implementations to prevent MITM.
Re:Security is as futile as DRM. Of course we lost (Score:3, Insightful)
If you'd had locks on your car (and if you'd avoided the bad parts of town) then you'd be ok. However, because you went to foolish places and didn't take precautions, it's no surprise that next time you tell Jeeves to take you to the bank, you get taken for a ride in more ways than one.
Except you still miss the point (Score:5, Insightful)
I know that it's a sacred tradition to regurgitate fanboy oneliners without thinking, but in this case
1. it was even in the summary that by now even home routers are targeted by the asshats. I fail to see how a hardened Linux PC helps there.
2. Actually, it seems to me like most zombie PCs nowadays don't come from port overflow attacks any more, but because of users clicking on spam links, re-entering their bank password on some www.i-pwn-you.ru site (fictive address for example sake) because the email told them to, and installing crap.
I'm not sure how Linux would help there at all. You do know that you can download and install rootkits for Linux too, right? In fact even the term rootkit comes from the Unix world, not from Windows. What's to keep an asshat from making their rootkit masquerade as a cutesy Linux screensaver instead of a cutesy Windows screeensaver?
If user clue remains a constant, meet the Clueless family, a white suburban family whose only knowledge of computers is that the nice guy at the shop said they need the most expensive one: you'll still have Joe Clueless opening executables he received in spam mails. And his wife Jane Clueless confirming her Paypal and eBay password the fourth time this week alone, and none of them was on paypal.com or ebay.com. And downloading and installing some piece of spyware masquerading as some cutesy utility or casual game. And their son, Timmy Clueless installing what some dodgy site told him is some hack to see through walls in Counter-Strike. And of course it needs to be installed as root, in fact as a kernel module. So punkbuster (or equivalent) can't detect it, you know? *nudge* *nudge* *wink* *wink* Know what I mean, eh?
Just as they're not deterred by Windows popping up a big fat windows asking them if they really want to install stuff, they won't be deterred by whatever hoops your favourite Linux distro makes them jump through either. If they have to su -, they'll su -.
End result: they're still pwned.
So the battle isn't winnable (Score:4, Insightful)
The battle isn't winnable, not without a significant world wide crackdown on rights and liberties.
Using that logic to say we shouldn't fight the battle at all is fundamentally flawed though. It's akin to saying that the battle against murder, rape and kiddie porn isn't winnable and should be given up. Human nature cannot be changed, we've spent countless thousands of years learning and relearning that lesson when we forget what history has taught us before.
Just because human nature cannot be changed does not mean that we give up on protecting ourselves. You don't play to win, you play because you can't afford to lose.
Re:And this is why... (Score:1, Insightful)
iexplore.exe never asks for admin access. The installer for IE updates does, as it should, but iexplore.exe never does (unless a plugin does, I suppose -- or if you're blaming an application you downloaded on IE on iexplore.exe even though it's a different process).
Re:This again? Really? (Score:4, Insightful)
Don't use Windows. Was that so hard?
Actually yes, it really really was. I worked for a long time to get my windows games working under Linux, and the best I could do was get a mostly working WoW through newer versions of wine (older versions had graphical corruption). I could resort to virtualbox to run games like alpha centauri and civ2. I simply was unable to run newish games, period.
So I gave up. I dual boot now. Windows for games, Linux for everything else.
Not everybody uses Windows because they're lazy, ignorant to marketing, or even want to. Sometimes it's the only thing that actually works.
Comment removed (Score:2, Insightful)
Re:And this is why... (Score:4, Insightful)
So, suppose I'm the business end of a botnet.
What does administrator access give me?
Sure, I'll take if I can get it, because it might come in handy. But how important is it to me, really?
If I want to steal the user's credit card number, it's right there in a Quicken file. No admin access required.
If I want the user's contact list, it's in Outlook or whatever.
If I want to steal the user's passwords, no problem, I can still hook the keyboard one way or another, or just grab them from the browser's password store.
I may not be able to rewrite the browser, but I can debug the browser process and get the same effect.
If I want to run the webcam, no privileges are required.
If I want to send spam, I can make a TCP connection without administrator access.
OK, I may have trouble hiding myself as well as I'd like from privileged anti-malware programs, or make it monstrously hard for them to remove me. There are a few things I can't change on the local system. I probably can't hook file system or network access, and if I can it's probably for only one user. There are a few not-that-important services I can't talk to. I can't mess with the lower layers of the network very much. I can't create another user. It would be nice to be able to do those things. But it's not like I'm seriously handicapped without administrator access. And, since I also have access to run privileged programs or send requests to privileged services, I have a huge surface available to attack with 'sploits if I do want administrator access.
Same on Linux. Yeah, there are differences, but they're down in the noise; they aren't the sorts of qualitative things that would really matter in terms of making the desktop trustworthy.
Re:And this is why... (Score:4, Insightful)
You're wrong in saying administrator access is the basic difference between Linux and Windows. The most basic difference is in default file permissions. Windows ties read and execute together by default. You put an executable on a Windows system and it's immediately executable by anyone. That is not true with Linux. Executables are only executable by default if a a system tool, such as apt-get, yum, etc... is used to install them. Otherwise, the user himself must add the execute permission to the file.
This is a huge barrier to malware spreading like many instances of Windows malware has spread. Remember all those instances of one person opening an infected email and everyone in the office being infected as a result? Can't happen on Linux due to file permissions. That executable can't execute unless/until the user gives it execute permission.
Test it for yourself. Write a script on a Linux machine and try to execute it without adding execute permissions. You can't do it. Try that on Windows and it works. No changes necessary. That's a huge difference in security.
Actually, it seems reasonable to me (Score:4, Insightful)
Actually, it seems like a reasonable assumption to me. Always code or design assuming the worst. Before you decide what hoops you make the user jump through to get his money online, assume that he's pwned in every imaginable way, that his firewall is mis-configured to be a digital goatse ;) and probably he's not even who he says he is. And he's probably trying to break your system too. Because sooner or later you'll have to deal with just that. Now what can you do to mitigate such a situation?
Basically you can divide people and design philosophies into a spectrum between:
- optimistic: they expect the best possible outcome. They just know it'll be all right. The world is nice, the users do exactly the click sequence they've been told to, and his functions only receive exactly the right input.
- pessimistic: they expect that Murphy's Law is actually a law of the universe, and if something could possibly go wrong without violating the laws of physics, it will. Actually the real serious pessimists don't even exclude the laws of physics going wrong. They tend to have the speed of light as a variable ;) They also tend to bring a sweater or two along when going to the beach in Florida in August. And they just know that some bastard out there will feed their program the wrong input, or will have his password stolen by a keylogger and then sue when he finds his account empty. They tend to rarely be disappointed in those expectations, actually.
Personally I like my programs and processes designed by the latter. And it seems to me like this is what those banks are doing. They're for a change starting from the worst possible scenario as an assumption. Nothing wrong with that.
Re:Assign responsibility to those who can do.... (Score:3, Insightful)
It seems reasonable to assume that most if not all of those IP addresses represent infected machines. Were there some way to get them shut down, imagine how much cleaner the Internet would be. However, there IS no way to do so: the ISPs hosting those machines don't provide any meaningful or automated way to report them, there is no way to contact the owner of those machines, so they just keep on spewing and infecting the rest of the system.
Nor will ISPs ever provide an automated way of reporting such machines as things stand now: a reporting mechanism is an internalized cost, and there is no reason for an ISP to internalize that cost when they can externalize it to the rest of the Internet.
On the contrary. Claim to be a representative of the movie or recording industry, and claim list those addresses as infringing your copyright. Tada. Instant automated disconnect (well, after the third time at least..) :P
Re:And this is why... (Score:3, Insightful)
I have SELinux on my desktop, although it's not as tightly configured as it could be. I'm typing this on it.. It's not what I want, and I don't think it can be made into what I want.
The problem with SELinux is that it falls into the classic "reference monitor" trap, where some outside piece of code tries to intuit the intent of something like a system call. It's a layered-on kludge, like a firewall.
I want something more like KeyKOS or EROS, perhaps with a layer of something like (but not identical to) MLS a la Bell and LaPadula, or some kind of compartment tagging system. In SELinux, I can still say "fopen (/etc/passwd)". In KeyKOS, "/etc/passwd" isn't even a defined name for me; if I need that file, I'll be given an opaque handle for it, which I can then store in my own name space if I want to.
It is not enough to layer on some kind of reference checker if the underlying programs assume that they have access to everything. One of the big reasons that SELinux is a PITA is that the behavior of the programs its trying to control is so complicated and irregular, and the people writing the programs aren't the people writing the SELinux configurations. Without big changes in the APIs and ways of doing things, it's really hard to guess what a program may try to do or what it needs.
SELinux also doesn't have the sort of granularity it would need for network access control. You only get control up to the socket layer. To do it right, you'd need to rearchitect the whole stack, so that you could give programs restricted access at whatever layer was appropriate. It should be possible to express "this program can get this URL (or, better yet, this opaque network handle), but not this other URL".
You have too much faith in users (Score:3, Insightful)
You have too much faith in the average user, if you think they'll configure and admin a whole PC instead of just buying a small appliance and forgetting that it's even there. And if you actually want them to configure and admin it _well_, now that's a whole other issue.
Re:Though the Times They May Look Grim ... (Score:3, Insightful)
Re:And this is why... (Score:3, Insightful)
The main difference is cultural and longstanding.
Unixen are in the habit of granting the least amount of priveledge necessary and sandboxing regular users. This goes way back into the depths of time where the OS was intended to service more than one end user and tried to keep any single user from running amok and "bringing the entire network down".
The problem with Microsoft isn't so much that their OS is crap but that their single user Commodore 64 approach to the system means their apps are crap. They make stupid engineering decisions allegedly for the sake of "easy" and then miss being easy.
It all boils down to the fact that running random binaries from untrusted sources should be hard and there should be a nice thick line separating programs and data.
Most people don't want or need a scripting language masquerading as a word processor format.
"run this" types of "malware" will always plague systems that allow end users to run anything though.
Re:Security is as futile as DRM. Of course we lost (Score:3, Insightful)
I don't think it's quite as you describe.
Your argument makes sense in a highly abstract, academic universe in which all people are perfectly skilled, knowledgeable and well resourced. This is too far removed from reality to be useful.
The first problem is that we know it's possible to build DRM that is extremely hard to crack. The PS3 is a working example of that. Games distributed via Xbox Live (versus dvd) are another example. These systems have been partially defeated a handful of times and then promptly re-secured. It turns out that though you technically speaking "have the keys" they are buried under so much silicon wizardry that in practice you don't have them.
The second is that it's very questionable whether there is any such thing as a "completely secure system" as you describe. Your phrasing is vague so I'll assume you're talking about resistance against attackers who are physically remote. The trend has been that over time, bugs that were once thought to be un-exploitable have become exploitable. For instance at one time both heap and integer overflows were not deemed to be a security issue until techniques for reliably exploiting them were published. Likewise, it's only recently that implementors of software cryptography have started thinking about statistical side-channel attacks and many (most?) engineers are still unfamiliar with them.
In short, it's possible to build both very strong DRM and very strong security against remote attackers, but real people routinely build very weak versions of both and I am skeptical there are any perfectly undefeatable systems out there.
Re:Excellent (Score:3, Insightful)
if banks "know" that the customers are infected, why do they blithely sell online access and transactions as a benefit, without any cautions about security?
Because it's cheaper to pay for the amount of fraud that occurs than to lose customers by blarthering about a security risk that, in all honesty, most folk never run into.
Online security will only ever be good enough to where sneaking into someone's house and planting a keylogger is a little bit easier.
Re:Except you still miss the point (Score:3, Insightful)
Most Linux users that you know have little in common with their computing habits than most Windows and Mac users that I know, I'd wager.
Re:Though the Times They May Look Grim ... (Score:1, Insightful)
Telus gave us this really crappy DSL/Wireless router. I never changed the admin password (admin/telus) on it, but I put a wireless password on it.
To quote the Mythbusters, "Well there's your problem!"
That's PART of your problem. The other part is that you went and downloaded pirated stuff. The problem with pirated stuff is that bad guys often use "free" as a way to get into YOUR stuff, and do very bad things. Yeah, you got to see Sherlock Holmes without paying for it (That's showing The Man!); but hey, how much is your time worth? How much is the security of your data worth?
As my grandparents used to say, if you lay down with dogs, you get fleas. If you get stuff from shady sources, don't be shocked when you discover that they want to do shady things to you, too.
Re:No-Charge Solution (Score:1, Insightful)
Re:And this is why... (Score:3, Insightful)
HUH?
There is a fundamental difference where Windows fails and Unix works.
as a user you NEVER HAVE TO GIVE THEM ROOT ACCESS. Ever! I can as a user install software, make changes, Hell I can change Xorg settings and never touch /etc if I blow the hell out of things I only blow the hell out of it for me.
windows? I have to write to that abortion called the registry that is in the system folder., Oops install software? I need to write to system and system32. Look I got me a open door into the system...
Honestly, it's utter retardation that windows works the way it does. there should NEVER be a reason to write to the OS files. put software DLL files in /program files/system put software settings in a seperate registry. NOTHING should be able to go into /windows for any reason unless it's an OS update or a driver update and only done via Administrator.
Re:Though the Times They May Look Grim ... (Score:5, Insightful)
Welcome to the world of IT, where people don't care about you until something breaks, then it's your fault until it's fixed.
Re:Though the Times They May Look Grim ... (Score:3, Insightful)
what they are mostly the target is idiot users that leave them wide open and never update them.
Leaving them wide open has nothing to do with it. The exploits are based on hardware/firmware vulnerabilities. As far as updating them, yeah, that's great for you and me, but to most average router users the router is an appliance, like a clock radio, and they don't know they need to be updated. Not to mention how confidence wanes when they get one look at the the horrific warnings you get when you do try and upgrade the firmware on a router.
Re:Though the Times They May Look Grim ... (Score:1, Insightful)
Well, uh, he did say that he saw it in theatres, which I'd bet cost $15 a pop; so, $45 for the three of them. That's not enough, yet? Oh, no, we'd like you to please pay for every viewing in every medium, please; we're working on making that legally mandatory...
That doesn't undermine your main point, but it does kinda erode your moral high ground.
And then again, cost is no guarantee of quality. Case in point, the leaky sieve of an operating system that these three must necessarily have been using on all their machines for this story to be possible...presumably they've paid for that. Over and over, every time they get a new machine, FFS.
Re:Though the Times They May Look Grim ... (Score:4, Insightful)