The Desktop Security Battle May Be Lost 389
Trailrunner7 writes in with a Threatpost.com article that begins: "For years, security experts, analysts and even users have been lamenting the state of desktop security. Viruses, spam, Trojans and rootkits have added up to create an ugly picture. But, the good news is that the desktop security battle may be over. The less-than-good news, however, is that we may have lost it. Jeremiah Grossman, CTO of WhiteHat Security, said Thursday that many organizations, particularly in the financial services industry, have gotten to the point of assuming that their customers' desktops are compromised. And moving forward from that assumption, things don't get much prettier." It goes on to speculate about home routers being targeted and infected.
Re:Though the Times They May Look Grim ... (Score:5, Interesting)
The major problem we actually are suffering from is that the world depends way too much on a single environment. And that environment is a kludge.
I'm not saying that Linux is much better - just somewhat better since it isn't as integrated as Windows.
As for losing the battle - this is a battle you only lose when you give up. As long as you persist you won't lose. You may get some beating now and then, but that's not a big issue since you can come back.
Re:Excellent (Score:4, Interesting)
if banks "know" that the customers are infected, why do they blithely sell online access and transactions as a benefit, without any cautions about security?
perhaps the banks have realized this could be a new way for them to make money: they could start making and selling some kind of secured, dedicated routers or something, for those customers that have to take care of their banking online. no router, no access.
Re:Don't worry! (Score:4, Interesting)
Actual serious answer: they don't. Too many chances to lose them. You lock up a tank by locking all the hatches internally but one, then putting a exterior padlock on that.
The bulletproof desktop (Score:4, Interesting)
One thing I loved about the ThinkNIC I set up for my mom so many years ago was that it was impossible to break. It booted from read-only media (a CD) so I knew that mom could never screw up anything in her computer permanently. The worst possible crash could be fixed by just turning it off and back on.
With so many folks pushing "cloud-based" solutions for, well, everything - Why hasn't something like the ThinkNIC come back?
A little box with any sort of read-only memory could hold all the programs most users will ever want. Make that memory in the form of some sort of plug-in card, and the entire machine would be easy to upgrade. (ThinkNIC used to send out new CDs with the latest versions of their setup.) It would also be easy to fix if a security problem were found; just mail out a new SD card or whatever.
Banks could advertise "Real Security. Because we care." They could give away a small computer to customers with the promise that said little box would enable streamlined access to their accounts, all while doing nearly everything an adult could need from a computer.
There's a kernel of a good idea in there, somewhere. I'm not the entrepeneur to make it into a business but I'm wondering why I don't see anyone trying?
Re:Though the Times They May Look Grim ... (Score:5, Interesting)
It's true. And I've actuall recieved one of these attacks on Routers before, and it ain't pretty.
So I live with 2 room mates. One of them (we'll call him A) doesn't know a lot about computers besides they play awesome video games. The other (We'll call him B) one loves computers and how he can Torrent "1080p" movies before the blu ray even comes out. He knows enough about computers to set the basic stuff up himself, and I'm sure the average user would call him good with computers, but you or I would be able to tell right away that he's just above average.
So B downloads a movie. I believe it was Sherlock Holmes. Anyways, he moves it to this external Hard Drive we have laying around, then tries it on his desktop in the living room to see if it works. Video plays, but then he starts getting pop ups. "Dang" he tells himself, tries using the BitDefender online scanner as he leaves for work. A comes home from work a couple hours later, moves the External Hard Drive to the Xbox360, notices Holmes is on there, and tries playing it. It doesn't work. So he moves it over to his desktop in his room, tries it, Hey it plays! But now he's got pop ups as well.
So I come home, and I decide I want to put on a movie. I move the external hard drive back to the 360 because its got Office Space on it, and watching that movie after a hard days work makes me feel better about not stealing from my company. Anyways, I notice Sherlock Holmes is on it, but I mean we saw it in theatres like a couple months ago so no reason to watch it again just yet. I open up B's desktop to surf the net while watching the movie. Pop ups. Well we'll clean that later. Dealt with enough stuff at work, not in the mood. So I bring out my laptop. That's odd, somethings hijacking my browser. So I boot into safe mode and run a scan on it. Nothing. That annoys the hell out of me. So grab the screw driver, rip out the hard drive, slave it, scan it from my desk top, still nothing. Well what the frack? I put everything back to normal, boot it up, look at the settings. That doesn't look like the regular DNS... though its hard to tell. Same DNS on the desktop. Try browsing the desktop, also getting highjacked.
Okay, so I log into the gateway. Telus gave us this really crappy DSL/Wireless router. I never changed the admin password (admin/telus) on it, but I put a wireless password on it, my initial premise being that should Telus need to remote in for any other issue there wouldn't be an issue, and the only way someone would get into our network was either breaking PSA2/AES or by plugging in locally. In hindsight that was a bit of a mistake. Anyways, so I look at the router and it's DNS was changed from automatically retrieve to the bad DNS.
Alright. So I change the admin password and change the DNS back, and unplug everyone but me from the router. Don't want the infected machines pushing out the DNS again. I spend the rest of the evening slaving the 2 infected Desktops and cleaning them off, and even checking the 360 hard drive (cause you never know if they've somehow managed to write a virus for that, but luckily it didn't get infected). Then putting everything back to normal. A and B were a little pissed because they were without internet, and without their computers for a little while (which just made me upset because I didn't start the problem, but I had to fix it).
After everything was working and we were done yelling at each other, we all played a game Age of Empires 2, co-operatively against computers. It's like Make up sex for nerds. But to be honest, I still get a little tired of having to deal with that kind of stuff. We're all moving out in July.
Re:And this is why... (Score:4, Interesting)
No, it's about profit. The flaw in the Windows/Linux/OSX security model isn't administrator access. Having a concept of some split personality user is a ridiculous hack that dates from a security architecture designed in the 70s. Nobody would use it if designing an OS from scratch today.
The flaw in these systems models is that developer tools and debuggers specifically are not built in to the system but rather are treated the same as any other application, which means any app can take control of any other app with only an "are you sure" screen in between at best.
You'll notice that mobile OS' don't have this. ChromeOS will likely have the standard Chrome developer tools which are "special" and cannot simply be swapped out for some other app. This means less innovation in debuggers but it gives the possibility of implementing real security because apps become much less slippery.
The desktop PC era is coming to a close. Nobody is quite sure what'll come next but I'm putting my cards on a combination of some much improved iPad OS, Android or (more likely) ChromeOS. Right now these are the only contenders for the "usefully more secure than windows" crown.
Because currently most Linux users are nerds (Score:5, Interesting)
Mainly because the current crop of Linux users are nerds. If the example Clueless family in my example exercised that level of caution, well, they wouldn't be clueless in the first place.
And if they were that cautious, they wouldn't get pwned in Windows either. I mean, it's not like that spyware crap was linked to from microsoft.com or anything.
The way they get pwned is more like:
Joe Clueless wakes up on a saturday morning, scratches his balls and goes to see if he has any email. Does he want herbal Viagra? Hmm, Jane has been faking too many headaches lately, maybe it couldn't hurt to at least look at the site. Just in case. Big fake UI popup tells him that he has 200 viruses on his system and needs to download and install the free Pwnage antivirus. Eeep, he doesn't want no nasty viruses on the computer he does his banking on, so let's hurry and do just that.
Next email tells him that the USPS couldn't deliver some package, and he has to run some attached executable to find out more details. Fuck, he wouldn't want to miss a package, so he dutifully does that.
Another emails tells him that the IRS wants something from him, so he does that again.
Next email tells him that hundreds of naked teenage babes are waiting for him at some .ru site. Well, Jane is out with the kid, maybe he has time to take a peek. Oh, he has to install this free dialer to see the pics. Well, sure, why not? He does that.
After clicking a bit around, another popup tells him that his computer has incriminating evidence against him and he needs to download and run this amazing browser history eraser. Teh oops. Jane might be pissed off if she sees porn sites in the browser history. Time to download and run this trojan too. He makes a mental note to complain about these browser devs who don't include that function already ;)
Meanwhile Jane comes back and wants to see which of her friends emailed her. That computer gets to add a cutesy minigame from an attachment, and another handy-dandy utility to remember her passwords, to its growing malware collection. While she's at it, she clicks on the www.i-pwn-u.ru link in another email to confirm her Paypal password again. She makes a mental note to whine about these idiots at Paypal who forget her password every other day and keep asking her to enter it again ;)
Little Timmy gets his computer time in the afternoon and gets his ass handed to him in multiplayer again. He googles for "counterstrike cheats" (or whatever game he's playing) and gets to some dodgy site where if you just download their keyboard and mouse driver, it can do a whole collection of FPS macros for you and make you play like a pro. (And also log the keypresses and send them back home, but they're not saying that.) Bweh-heh-heh, he'll show those guys in his clan who's teh uber-l337 FPS player.
Do you see any reason why in the same scenario they'd exercise caution about what they download in Linux, when they don't in Windows?