Forgot your password?
typodupeerror
Security IT

The Desktop Security Battle May Be Lost 389

Posted by kdawson
from the deploy-the-tinfoil-hats dept.
Trailrunner7 writes in with a Threatpost.com article that begins: "For years, security experts, analysts and even users have been lamenting the state of desktop security. Viruses, spam, Trojans and rootkits have added up to create an ugly picture. But, the good news is that the desktop security battle may be over. The less-than-good news, however, is that we may have lost it. Jeremiah Grossman, CTO of WhiteHat Security, said Thursday that many organizations, particularly in the financial services industry, have gotten to the point of assuming that their customers' desktops are compromised. And moving forward from that assumption, things don't get much prettier." It goes on to speculate about home routers being targeted and infected.
This discussion has been archived. No new comments can be posted.

The Desktop Security Battle May Be Lost

Comments Filter:
  • The Desktop Security Battle May Be Lost

    No, you must have hope! We just need to hold them off a little longer until Gandalf the White Hat shows up on Shadowfax Machine.

    • FOR x64!!!

    • by Z00L00K (682162) on Friday May 07, 2010 @12:40PM (#32128804) Homepage

      The major problem we actually are suffering from is that the world depends way too much on a single environment. And that environment is a kludge.

      I'm not saying that Linux is much better - just somewhat better since it isn't as integrated as Windows.

      As for losing the battle - this is a battle you only lose when you give up. As long as you persist you won't lose. You may get some beating now and then, but that's not a big issue since you can come back.

      • by jemtallon (1125407) on Friday May 07, 2010 @12:49PM (#32128954) Journal
        If you'd have read the article, you'd know that home networks are the new frontier for hackers and a big reason why security experts are giving up the desktop fight to focus on the network instead. From the article: "... it won’t matter if PCs are disinfected, swapped out, or replaced with iPads, the bad guys are still control because they own the network below." So the old Blame Windows standard won't work in this case.
        • Re: (Score:2, Troll)

          by sznupi (719324)

          "It goes on to speculate about home routers being targeted and infected."

          ^that looks to me more like wondering about a "what if?" hypothetical scenario, not something which actually takes the blame from Windows just yet...

          • by apparently (756613) on Friday May 07, 2010 @01:56PM (#32130162)

            ^that looks to me more like wondering about a "what if?" hypothetical scenario, not something which actually takes the blame from Windows just yet...

            The article states "These are all reasonable assumptions based on real-world attacks that have been going on for some time now. Attackers have been targeting home networking equipment for a couple of years, using a combination of vulnerabilities in the firmware and hardware to get control of home users' outbound Internet traffic". Links within the original blog post discuss botnets that are already attacking Linux-based routers [computerworld.com]

            There's nothing "hypothetical" about this threat.

            • Mod Parent Up. (Score:5, Informative)

              by aztracker1 (702135) on Friday May 07, 2010 @02:01PM (#32130230) Homepage
              I don't generally post this kind of thing, but please mod the parent up. I cannot stress enough how false assumptions are generally bad in terms of security. Yes, Linux is being attacked (successfully), as is Mac OSX. The attacks on home routers are particularly heinous as most people do not update/upgrade the firmware ever, and more of it is based on common Linux underpinnings.
              • Re:Mod Parent Up. (Score:5, Informative)

                by dwillden (521345) on Friday May 07, 2010 @02:31PM (#32130772) Homepage
                People don't upgrade the firmware in big part because firmware updates are not released. I've had my current Netgear router for over two years. There has not been one firmware update released. And the router management page even has a fairly prominent link to look for updates. If the router manufacturers don't post updates, how can the end users install them?
        • Re: (Score:3, Insightful)

          If you are tired of blaming Microsoft and don't have the heart of twisted logic to blame Apple, then Cisco is your company. They practically own the Internet with a market share that Juniper, Foundry, or Extreme Networks would "die for" (and they almost have; Foundry is now owned by Brocade). Their consumer business, Linksys, has enough DSL routers to make any cracker happy for life. Unfortunately, their CEO is a charming salesman who actually has principles, which makes him hard to demonize. But what t
      • Quitters never win.
        Winners never quit.
        But those who never win and never quit
        are idiots.
        -- despair.com

      • by Monkeedude1212 (1560403) on Friday May 07, 2010 @01:25PM (#32129554) Journal

        It's true. And I've actuall recieved one of these attacks on Routers before, and it ain't pretty.

        So I live with 2 room mates. One of them (we'll call him A) doesn't know a lot about computers besides they play awesome video games. The other (We'll call him B) one loves computers and how he can Torrent "1080p" movies before the blu ray even comes out. He knows enough about computers to set the basic stuff up himself, and I'm sure the average user would call him good with computers, but you or I would be able to tell right away that he's just above average.

        So B downloads a movie. I believe it was Sherlock Holmes. Anyways, he moves it to this external Hard Drive we have laying around, then tries it on his desktop in the living room to see if it works. Video plays, but then he starts getting pop ups. "Dang" he tells himself, tries using the BitDefender online scanner as he leaves for work. A comes home from work a couple hours later, moves the External Hard Drive to the Xbox360, notices Holmes is on there, and tries playing it. It doesn't work. So he moves it over to his desktop in his room, tries it, Hey it plays! But now he's got pop ups as well.

        So I come home, and I decide I want to put on a movie. I move the external hard drive back to the 360 because its got Office Space on it, and watching that movie after a hard days work makes me feel better about not stealing from my company. Anyways, I notice Sherlock Holmes is on it, but I mean we saw it in theatres like a couple months ago so no reason to watch it again just yet. I open up B's desktop to surf the net while watching the movie. Pop ups. Well we'll clean that later. Dealt with enough stuff at work, not in the mood. So I bring out my laptop. That's odd, somethings hijacking my browser. So I boot into safe mode and run a scan on it. Nothing. That annoys the hell out of me. So grab the screw driver, rip out the hard drive, slave it, scan it from my desk top, still nothing. Well what the frack? I put everything back to normal, boot it up, look at the settings. That doesn't look like the regular DNS... though its hard to tell. Same DNS on the desktop. Try browsing the desktop, also getting highjacked.

        Okay, so I log into the gateway. Telus gave us this really crappy DSL/Wireless router. I never changed the admin password (admin/telus) on it, but I put a wireless password on it, my initial premise being that should Telus need to remote in for any other issue there wouldn't be an issue, and the only way someone would get into our network was either breaking PSA2/AES or by plugging in locally. In hindsight that was a bit of a mistake. Anyways, so I look at the router and it's DNS was changed from automatically retrieve to the bad DNS.

        Alright. So I change the admin password and change the DNS back, and unplug everyone but me from the router. Don't want the infected machines pushing out the DNS again. I spend the rest of the evening slaving the 2 infected Desktops and cleaning them off, and even checking the 360 hard drive (cause you never know if they've somehow managed to write a virus for that, but luckily it didn't get infected). Then putting everything back to normal. A and B were a little pissed because they were without internet, and without their computers for a little while (which just made me upset because I didn't start the problem, but I had to fix it).

        After everything was working and we were done yelling at each other, we all played a game Age of Empires 2, co-operatively against computers. It's like Make up sex for nerds. But to be honest, I still get a little tired of having to deal with that kind of stuff. We're all moving out in July.

    • Re: (Score:2, Funny)

      They may take our identities, but they'll never take OUR LOLCATS!!!!
  • Excellent (Score:3, Funny)

    by hodet (620484) on Friday May 07, 2010 @12:37PM (#32128748)
    That was a great piece of investigative journalism. Banks have accepted that all their customers are infected and gawd knows that every last home router is insecure. So not only are you infected but you don't even know it. Run for the hills.
    • of this alarmist drivel is that there are only 2 adds on the poster's page.

      -Rick

      • by raddan (519638) *
        I know. For all the hype, you'd think you'd at least get some multiplication action in there, or heaven forbid, a divide.
    • Re:Excellent (Score:4, Interesting)

      by memnock (466995) on Friday May 07, 2010 @12:46PM (#32128908)

      if banks "know" that the customers are infected, why do they blithely sell online access and transactions as a benefit, without any cautions about security?

      perhaps the banks have realized this could be a new way for them to make money: they could start making and selling some kind of secured, dedicated routers or something, for those customers that have to take care of their banking online. no router, no access.

      • by Bigbutt (65939)

        Wasn't there a recent Slashdot article where some banks are now providing bootable media for use when accessing the bank's website?

        Won't work with an iPad though :)

        [John]

      • Re: (Score:3, Insightful)

        by Planesdragon (210349)

        if banks "know" that the customers are infected, why do they blithely sell online access and transactions as a benefit, without any cautions about security?

        Because it's cheaper to pay for the amount of fraud that occurs than to lose customers by blarthering about a security risk that, in all honesty, most folk never run into.

        Online security will only ever be good enough to where sneaking into someone's house and planting a keylogger is a little bit easier.

    • by Moraelin (679338) on Friday May 07, 2010 @01:28PM (#32129636) Journal

      Actually, it seems like a reasonable assumption to me. Always code or design assuming the worst. Before you decide what hoops you make the user jump through to get his money online, assume that he's pwned in every imaginable way, that his firewall is mis-configured to be a digital goatse ;) and probably he's not even who he says he is. And he's probably trying to break your system too. Because sooner or later you'll have to deal with just that. Now what can you do to mitigate such a situation?

      Basically you can divide people and design philosophies into a spectrum between:

      - optimistic: they expect the best possible outcome. They just know it'll be all right. The world is nice, the users do exactly the click sequence they've been told to, and his functions only receive exactly the right input.

      - pessimistic: they expect that Murphy's Law is actually a law of the universe, and if something could possibly go wrong without violating the laws of physics, it will. Actually the real serious pessimists don't even exclude the laws of physics going wrong. They tend to have the speed of light as a variable ;) They also tend to bring a sweater or two along when going to the beach in Florida in August. And they just know that some bastard out there will feed their program the wrong input, or will have his password stolen by a keylogger and then sue when he finds his account empty. They tend to rarely be disappointed in those expectations, actually.

      Personally I like my programs and processes designed by the latter. And it seems to me like this is what those banks are doing. They're for a change starting from the worst possible scenario as an assumption. Nothing wrong with that.

    • by hoggoth (414195)

      Banks are quite eager to accept that all of their customers are infected. That will enable them to throw the blame onto the customers when their accounts get hacked.

      Why do you think they call it "identity theft"? My identity hasn't been stolen from me. A vendor's shitty security has given it away.

  • by eln (21727) on Friday May 07, 2010 @12:40PM (#32128798) Homepage
    The Year of Linux on the Desktop(tm) is just around the corner!
    • Re: (Score:3, Informative)

      by landoltjp (676315)
      As much as I'm a fan, t'wont help, according to TFA:

      Botnets are starting to target and infect routers and DSL modems. Scary, and a possible trend. [...] it won’t matter if PCs are disinfected, swapped out, or replaced with iPads, the bad guys are still control because they own the network below

      • Too busy to read TFA... but how the hell are they infecting firmware? That seems like a huge oversight by Linksys, Netgear, etc.

        It's like they're parking a tank in front of your house to defend you from the bad guys, and then leaving the keys to the tank in the ignition.

        Wait, do tanks use keys?

        Wait pt 2, did I just make a car analogy?

      • by Cruise_WD (410599)

        That's okay, in another decade "The Year of Linux on the Router" will be just around the corner :P

        In all seriousness, however, while there's nothing that can be done about the user making bad decisions, the OS can do a fair bit to mitigate the effect of those decisions.

        Not running as a privileged user, having space, cpu and network caps in place, etc. are a start.

        There always will be a trade-off between letting the user do something easily and not letting a program do something too easily. With decent UI de

  • by John Hasler (414242) on Friday May 07, 2010 @12:41PM (#32128820) Homepage

    > ...many organizations, particularly in the financial services industry,
    > have gotten to the point of assuming that their customers' desktops are
    > compromised.

    They should have been assuming that all along. They should assume it even if only a tiny fraction of their customers' desktops are compromised.

  • What's a "virus"? I can't find any reference to it in portage:

    emerge -s virus
    Searching...
    [ Results for search key : virus ]
    [ Applications found : 0 ]

    And what do condoms have to do with computer security, anyway?

    (ducks for cover)

    • You used to be able to sudo apt-get install keylogger under Debian. Even when it comes to being compromised, Linux makes it easier;)

    • by causality (777677)

      What's a "virus"? I can't find any reference to it in portage:

      emerge -s virus Searching... [ Results for search key : virus ] [ Applications found : 0 ]

      And what do condoms have to do with computer security, anyway?

      (ducks for cover)

      The utility "eix" is quite a bit faster than "emerge -s" particularly when you also want to search the package description. You just have to remember to update its index when you do "emerge --sync".

  • by wowbagger (69688) on Friday May 07, 2010 @12:53PM (#32129004) Homepage Journal

    We need to assign responsibility to those who can do something about it.

    Every day, my firewall emails me a list of port scans against it, sorted by IP address. Most days that list is just under 100 different IP addresses scanning me, some days it is in the thousands of IP addresses - from all over the Internet (i.e. not just local addresses). This is on a residential DSL connection that offers no services to the world, isn't linked to by any web sites, and does not respond to any unsolicited traffic.

    It seems reasonable to assume that most if not all of those IP addresses represent infected machines. Were there some way to get them shut down, imagine how much cleaner the Internet would be. However, there IS no way to do so: the ISPs hosting those machines don't provide any meaningful or automated way to report them, there is no way to contact the owner of those machines, so they just keep on spewing and infecting the rest of the system.

    Nor will ISPs ever provide an automated way of reporting such machines as things stand now: a reporting mechanism is an internalized cost, and there is no reason for an ISP to internalize that cost when they can externalize it to the rest of the Internet.

    This is one of those rare cases where "there ought to be a law" is a reasonable response: were ISPs required by law to investigate abuse reports and disconnect infected clients until those clients are cleaned up, the number of infected machines on the Internet would be reduced, the profit margins of the bot-herders and spammers wiped out, and the system would clean itself up. However, such a law would be fought most vigorously by all ISPs precisely because it would be internalizing a currently externalized cost, and it would be worth vastly more to ISPs to prevent such a law than the cost of lobbying against it.

    (NB: "repeatedly submitting false abuse reports" is itself abuse, and should also result in the source of the false reports being shut down).

    "Trojan/Worm/Virus" credits, anyone?

    • Re: (Score:3, Insightful)

      by Cruise_WD (410599)

      It seems reasonable to assume that most if not all of those IP addresses represent infected machines. Were there some way to get them shut down, imagine how much cleaner the Internet would be. However, there IS no way to do so: the ISPs hosting those machines don't provide any meaningful or automated way to report them, there is no way to contact the owner of those machines, so they just keep on spewing and infecting the rest of the system.

      Nor will ISPs ever provide an automated way of reporting such machines as things stand now: a reporting mechanism is an internalized cost, and there is no reason for an ISP to internalize that cost when they can externalize it to the rest of the Internet.

      On the contrary. Claim to be a representative of the movie or recording industry, and claim list those addresses as infringing your copyright. Tada. Instant automated disconnect (well, after the third time at least..) :P

    • by hoggoth (414195)

      Spammers will buy 'spam credits' from clean secure users to stay spam-neutral. The overall effect will be a cleaner Internet.
      I myself will be setting up the clearinghouse / broker for spam credits as a service to the community at large.

  • by lymond01 (314120) on Friday May 07, 2010 @12:54PM (#32129032)

    I disagree. Even working at a university, it completely depends on how you run your show. The department I'm part of has a border firewall, client firewalls, no one runs as administrator, antivirus, spyware, malware checkers are run on a regular basis. More important than any of those: we spend time to educate our users on security. They know what to avoid in terms of phishing scams, never to give out passwords to anyone, what to look for before you click on a link in an email (or even a website), etc.

    To say the desktop war has been lost because the company you talked to has sucky IT and suckier IT clients...is just dumb.

    • Yes, any halfway competent organization can secure its workstations. It's not that hard to form and enforce reasonable policies that keep the receptionist's system clean.

      But when she gets home, there's no organization backing her up. There is no policy or IT support beyond (maybe) some Indian call centre who's first priority is getting her off the line ASAP. It's fair to assume her desktop at home has been compromised by anyone with the inclination to do so.

  • by jsnipy (913480)
    This sort of FUD is in the best interest of those who sell "Identity guard" style products/subscriptions.
  • Surely not (Score:2, Insightful)

    by adaviel (1189751)

    The practice of using a single privileged account for everything - banking, reading slashdot, downloading porn - may be doomed, and about time too. But I still think there's hope for using a single piece of hardware and a single network. Even if it comes down to using not just separate accounts, but separate cores, for play and work. Last time I looked (a while back) some CPU manufacturers were adding features for process separation but the OS had not yet implemented support. End-to-end encryption should pr

  • You mean, in our tidy little world of 1s and 0s, where bugs don't exist, computers work perfectly, just like how Hollywood portrays them? Time to come to grips with reality. The World Isn't Perfect (tm), film at 11. People will continue to get pwned on their computers, just like how convenience stores will continue to get robbed, and how funds will be embezzled, and assets seized by a coup, and on and on.
  • I know this because I got a message saying my antivirus was out of date and that I needed to install an update. I simply clicked the link, gave them my credit card number and I'm safe now. I even have a cool new homepage.
  • by onyxruby (118189) <onyxruby@@@comcast...net> on Friday May 07, 2010 @01:05PM (#32129210)

    The battle isn't winnable, not without a significant world wide crackdown on rights and liberties.

    Using that logic to say we shouldn't fight the battle at all is fundamentally flawed though. It's akin to saying that the battle against murder, rape and kiddie porn isn't winnable and should be given up. Human nature cannot be changed, we've spent countless thousands of years learning and relearning that lesson when we forget what history has taught us before.

    Just because human nature cannot be changed does not mean that we give up on protecting ourselves. You don't play to win, you play because you can't afford to lose.

  • We should assume compromise when we are building security into networked systems.

    Anything less would not be diligent in proactive security. And security is always best when it is proactive, and not reactive.

    And while it is inconvenient and even possibly insulting to those of use who have decent control over our system(s), we shouldn't base what we do upon our own security, we should be looking towards the weakest link and assume that it does and will continue to exist, and that is a vector for attack.

  • No-Charge Solution (Score:5, Informative)

    by psbrogna (611644) on Friday May 07, 2010 @01:16PM (#32129372)
    Other countries seem to be realizing that's it's a much more winnable battle if home users aren't in an MS environment. Isn't this EXACTLY why the Canadian bank recently started handing out Linux Live Boot CDs for their customers to use when banking from home?

    I think this is the article http://linux.slashdot.org/story/10/03/25/2350236/Can-Ubuntu-Save-Online-Banking [slashdot.org]
  • Now that HP has open sourced it's Polaris [wikipedia.org] virus-safe computing project.

  • by BenEnglishAtHome (449670) on Friday May 07, 2010 @01:24PM (#32129548)

    One thing I loved about the ThinkNIC I set up for my mom so many years ago was that it was impossible to break. It booted from read-only media (a CD) so I knew that mom could never screw up anything in her computer permanently. The worst possible crash could be fixed by just turning it off and back on.

    With so many folks pushing "cloud-based" solutions for, well, everything - Why hasn't something like the ThinkNIC come back?

    A little box with any sort of read-only memory could hold all the programs most users will ever want. Make that memory in the form of some sort of plug-in card, and the entire machine would be easy to upgrade. (ThinkNIC used to send out new CDs with the latest versions of their setup.) It would also be easy to fix if a security problem were found; just mail out a new SD card or whatever.

    Banks could advertise "Real Security. Because we care." They could give away a small computer to customers with the promise that said little box would enable streamlined access to their accounts, all while doing nearly everything an adult could need from a computer.

    There's a kernel of a good idea in there, somewhere. I'm not the entrepeneur to make it into a business but I'm wondering why I don't see anyone trying?

  • Baffled (Score:4, Funny)

    by Quiet_Desperation (858215) on Friday May 07, 2010 @01:25PM (#32129556)
    I never seem to have these problems. Is there some weird, vulnerable OS out there that a lot of folks are using?

What this country needs is a good five dollar plasma weapon.

Working...