Slashdot Mirror
The Desktop Security Battle May Be Lost
Trailrunner7 writes in with a Threatpost.com article that begins: "For years, security experts, analysts and even users have been lamenting the state of desktop security. Viruses, spam, Trojans and rootkits have added up to create an ugly picture. But, the good news is that the desktop security battle may be over. The less-than-good news, however, is that we may have lost it. Jeremiah Grossman, CTO of WhiteHat Security, said Thursday that many organizations, particularly in the financial services industry, have gotten to the point of assuming that their customers' desktops are compromised. And moving forward from that assumption, things don't get much prettier." It goes on to speculate about home routers being targeted and infected.
The Desktop Security Battle May Be Lost
No, you must have hope! We just need to hold them off a little longer until Gandalf the White Hat shows up on Shadowfax Machine.
My work here is dung.
Then they could just assume that the customer's computer is incompatible.
The Year of Linux on the Desktop(tm) is just around the corner!
> ...many organizations, particularly in the financial services industry,
> have gotten to the point of assuming that their customers' desktops are
> compromised.
They should have been assuming that all along. They should assume it even if only a tiny fraction of their customers' desktops are compromised.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
if banks "know" that the customers are infected, why do they blithely sell online access and transactions as a benefit, without any cautions about security?
perhaps the banks have realized this could be a new way for them to make money: they could start making and selling some kind of secured, dedicated routers or something, for those customers that have to take care of their banking online. no router, no access.
"To stop the terrorists."
If it is a truism that DRM is futile because it will always be defeated, then it is also a truism that Security is futile because it will always be defeated.
What? No.
DRM can always be defeated because of its design. If I lend you the key to my apartment so you can go in and borrow some sugar or something, there's nothing I can do to stop you from cleaning out my apartment and skipping town. But to claim all locks are futile because of that is just retarded.
DRM can always be defeated because the "attacker" is exactly the same as the user, and you're already giving them everything they need. That is a system which is fundamentally flawed. Real security is where you don't give the attacker your keys, passwords, etc.
It is theoretically possible to build a completely secure system, from a technological standpoint. The vulnerabilities are either physical weaknesses (you could just run off with my laptop) or people. There are also vulnerabilities from sloppy coding, but these have very little effect against users with good security habits.
Sure, it may never happen, but if so, that's because we'll always make mistakes. A completely secure DRM scheme is actually a logical impossibility, even if no one makes any mistakes.
Don't thank God, thank a doctor!
The fundamental security model of Linux is no better than that of Windows. The main reason Windows gets nailed is that it's more profitable to write malware for Windows than for anything else. If Linux had the market share of Windows, it would have as much, or nearly as much, malware.
In either Linux or Windows, being able to run any code at all gives you essentially complete access to the user's data, plus almost unlimited access to system resources, plus the ability to talk to the network. Who cares if you're not running as root if everything interesting is owned by the user's account?
There are ways to make systems more secure, starting with strong containment. How strong? Strong enough that your program can't even express the desire to, say, open a file that the user hasn't given it a capability for. Strong enough that the user has to jump through hoops to give certain programs access to certain data. Especially programs with network access... which need to be only the programs that actually need it. Strong enough to subdivide lots of functions that people are used to putting together in the same process. Strong enough that you can forget about most of the APIs you're used to coding with. And, if you're going to run apps out on the network, that whole system has to extend out into the network as well.
On top of that, people ought to be using tools that make it a lot harder to express common security bugs, and that help you to notice when you've created others.
If this is to be fixed, users and programmers are going to have to change the ways they do things. I'm not super optimistic.
Linux helps not at all. Even OpenBSD wouldn't help much.
We need to assign responsibility to those who can do something about it.
Every day, my firewall emails me a list of port scans against it, sorted by IP address. Most days that list is just under 100 different IP addresses scanning me, some days it is in the thousands of IP addresses - from all over the Internet (i.e. not just local addresses). This is on a residential DSL connection that offers no services to the world, isn't linked to by any web sites, and does not respond to any unsolicited traffic.
It seems reasonable to assume that most if not all of those IP addresses represent infected machines. Were there some way to get them shut down, imagine how much cleaner the Internet would be. However, there IS no way to do so: the ISPs hosting those machines don't provide any meaningful or automated way to report them, there is no way to contact the owner of those machines, so they just keep on spewing and infecting the rest of the system.
Nor will ISPs ever provide an automated way of reporting such machines as things stand now: a reporting mechanism is an internalized cost, and there is no reason for an ISP to internalize that cost when they can externalize it to the rest of the Internet.
This is one of those rare cases where "there ought to be a law" is a reasonable response: were ISPs required by law to investigate abuse reports and disconnect infected clients until those clients are cleaned up, the number of infected machines on the Internet would be reduced, the profit margins of the bot-herders and spammers wiped out, and the system would clean itself up. However, such a law would be fought most vigorously by all ISPs precisely because it would be internalizing a currently externalized cost, and it would be worth vastly more to ISPs to prevent such a law than the cost of lobbying against it.
(NB: "repeatedly submitting false abuse reports" is itself abuse, and should also result in the source of the false reports being shut down).
"Trojan/Worm/Virus" credits, anyone?
www.eFax.com are spammers
I disagree. Even working at a university, it completely depends on how you run your show. The department I'm part of has a border firewall, client firewalls, no one runs as administrator, antivirus, spyware, malware checkers are run on a regular basis. More important than any of those: we spend time to educate our users on security. They know what to avoid in terms of phishing scams, never to give out passwords to anyone, what to look for before you click on a link in an email (or even a website), etc.
To say the desktop war has been lost because the company you talked to has sucky IT and suckier IT clients...is just dumb.
It's simply a matter of convenience. There are several ways to make online banking completely secure. For instance, the bank could distribute Live CDs/USBs with a bare linux system and a browser. You want online banking? Wait for a minute or two, then login through the browser presented. Problem is, no one would put up with such inconvenience. WE WANT ACCESS RIGHT NOW!!!! Waiting for two minutes is unthinkable... Ultimately, you're right - as long as there are users, there will always be security problems, although the solution is 2 minutes away. We are just so fucking impatient :)
I know that it's a sacred tradition to regurgitate fanboy oneliners without thinking, but in this case
1. it was even in the summary that by now even home routers are targeted by the asshats. I fail to see how a hardened Linux PC helps there.
2. Actually, it seems to me like most zombie PCs nowadays don't come from port overflow attacks any more, but because of users clicking on spam links, re-entering their bank password on some www.i-pwn-you.ru site (fictive address for example sake) because the email told them to, and installing crap.
I'm not sure how Linux would help there at all. You do know that you can download and install rootkits for Linux too, right? In fact even the term rootkit comes from the Unix world, not from Windows. What's to keep an asshat from making their rootkit masquerade as a cutesy Linux screensaver instead of a cutesy Windows screeensaver?
If user clue remains a constant, meet the Clueless family, a white suburban family whose only knowledge of computers is that the nice guy at the shop said they need the most expensive one: you'll still have Joe Clueless opening executables he received in spam mails. And his wife Jane Clueless confirming her Paypal and eBay password the fourth time this week alone, and none of them was on paypal.com or ebay.com. And downloading and installing some piece of spyware masquerading as some cutesy utility or casual game. And their son, Timmy Clueless installing what some dodgy site told him is some hack to see through walls in Counter-Strike. And of course it needs to be installed as root, in fact as a kernel module. So punkbuster (or equivalent) can't detect it, you know? *nudge* *nudge* *wink* *wink* Know what I mean, eh?
Just as they're not deterred by Windows popping up a big fat windows asking them if they really want to install stuff, they won't be deterred by whatever hoops your favourite Linux distro makes them jump through either. If they have to su -, they'll su -.
End result: they're still pwned.
A polar bear is a cartesian bear after a coordinate transform.
The battle isn't winnable, not without a significant world wide crackdown on rights and liberties.
Using that logic to say we shouldn't fight the battle at all is fundamentally flawed though. It's akin to saying that the battle against murder, rape and kiddie porn isn't winnable and should be given up. Human nature cannot be changed, we've spent countless thousands of years learning and relearning that lesson when we forget what history has taught us before.
Just because human nature cannot be changed does not mean that we give up on protecting ourselves. You don't play to win, you play because you can't afford to lose.
Don't use Windows. Was that so hard?
Actually yes, it really really was. I worked for a long time to get my windows games working under Linux, and the best I could do was get a mostly working WoW through newer versions of wine (older versions had graphical corruption). I could resort to virtualbox to run games like alpha centauri and civ2. I simply was unable to run newish games, period.
So I gave up. I dual boot now. Windows for games, Linux for everything else.
Not everybody uses Windows because they're lazy, ignorant to marketing, or even want to. Sometimes it's the only thing that actually works.
Other countries seem to be realizing that's it's a much more winnable battle if home users aren't in an MS environment. Isn't this EXACTLY why the Canadian bank recently started handing out Linux Live Boot CDs for their customers to use when banking from home?
I think this is the article http://linux.slashdot.org/story/10/03/25/2350236/Can-Ubuntu-Save-Online-Banking
So, suppose I'm the business end of a botnet.
What does administrator access give me?
Sure, I'll take if I can get it, because it might come in handy. But how important is it to me, really?
If I want to steal the user's credit card number, it's right there in a Quicken file. No admin access required.
If I want the user's contact list, it's in Outlook or whatever.
If I want to steal the user's passwords, no problem, I can still hook the keyboard one way or another, or just grab them from the browser's password store.
I may not be able to rewrite the browser, but I can debug the browser process and get the same effect.
If I want to run the webcam, no privileges are required.
If I want to send spam, I can make a TCP connection without administrator access.
OK, I may have trouble hiding myself as well as I'd like from privileged anti-malware programs, or make it monstrously hard for them to remove me. There are a few things I can't change on the local system. I probably can't hook file system or network access, and if I can it's probably for only one user. There are a few not-that-important services I can't talk to. I can't mess with the lower layers of the network very much. I can't create another user. It would be nice to be able to do those things. But it's not like I'm seriously handicapped without administrator access. And, since I also have access to run privileged programs or send requests to privileged services, I have a huge surface available to attack with 'sploits if I do want administrator access.
Same on Linux. Yeah, there are differences, but they're down in the noise; they aren't the sorts of qualitative things that would really matter in terms of making the desktop trustworthy.
You're wrong in saying administrator access is the basic difference between Linux and Windows. The most basic difference is in default file permissions. Windows ties read and execute together by default. You put an executable on a Windows system and it's immediately executable by anyone. That is not true with Linux. Executables are only executable by default if a a system tool, such as apt-get, yum, etc... is used to install them. Otherwise, the user himself must add the execute permission to the file.
This is a huge barrier to malware spreading like many instances of Windows malware has spread. Remember all those instances of one person opening an infected email and everyone in the office being infected as a result? Can't happen on Linux due to file permissions. That executable can't execute unless/until the user gives it execute permission.
Test it for yourself. Write a script on a Linux machine and try to execute it without adding execute permissions. You can't do it. Try that on Windows and it works. No changes necessary. That's a huge difference in security.
"while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
One thing I loved about the ThinkNIC I set up for my mom so many years ago was that it was impossible to break. It booted from read-only media (a CD) so I knew that mom could never screw up anything in her computer permanently. The worst possible crash could be fixed by just turning it off and back on.
With so many folks pushing "cloud-based" solutions for, well, everything - Why hasn't something like the ThinkNIC come back?
A little box with any sort of read-only memory could hold all the programs most users will ever want. Make that memory in the form of some sort of plug-in card, and the entire machine would be easy to upgrade. (ThinkNIC used to send out new CDs with the latest versions of their setup.) It would also be easy to fix if a security problem were found; just mail out a new SD card or whatever.
Banks could advertise "Real Security. Because we care." They could give away a small computer to customers with the promise that said little box would enable streamlined access to their accounts, all while doing nearly everything an adult could need from a computer.
There's a kernel of a good idea in there, somewhere. I'm not the entrepeneur to make it into a business but I'm wondering why I don't see anyone trying?
I never seem to have these problems. Is there some weird, vulnerable OS out there that a lot of folks are using?
Actually, it seems like a reasonable assumption to me. Always code or design assuming the worst. Before you decide what hoops you make the user jump through to get his money online, assume that he's pwned in every imaginable way, that his firewall is mis-configured to be a digital goatse ;) and probably he's not even who he says he is. And he's probably trying to break your system too. Because sooner or later you'll have to deal with just that. Now what can you do to mitigate such a situation?
Basically you can divide people and design philosophies into a spectrum between:
- optimistic: they expect the best possible outcome. They just know it'll be all right. The world is nice, the users do exactly the click sequence they've been told to, and his functions only receive exactly the right input.
- pessimistic: they expect that Murphy's Law is actually a law of the universe, and if something could possibly go wrong without violating the laws of physics, it will. Actually the real serious pessimists don't even exclude the laws of physics going wrong. They tend to have the speed of light as a variable ;) They also tend to bring a sweater or two along when going to the beach in Florida in August. And they just know that some bastard out there will feed their program the wrong input, or will have his password stolen by a keylogger and then sue when he finds his account empty. They tend to rarely be disappointed in those expectations, actually.
Personally I like my programs and processes designed by the latter. And it seems to me like this is what those banks are doing. They're for a change starting from the worst possible scenario as an assumption. Nothing wrong with that.
A polar bear is a cartesian bear after a coordinate transform.
No, it's about profit. The flaw in the Windows/Linux/OSX security model isn't administrator access. Having a concept of some split personality user is a ridiculous hack that dates from a security architecture designed in the 70s. Nobody would use it if designing an OS from scratch today.
The flaw in these systems models is that developer tools and debuggers specifically are not built in to the system but rather are treated the same as any other application, which means any app can take control of any other app with only an "are you sure" screen in between at best.
You'll notice that mobile OS' don't have this. ChromeOS will likely have the standard Chrome developer tools which are "special" and cannot simply be swapped out for some other app. This means less innovation in debuggers but it gives the possibility of implementing real security because apps become much less slippery.
The desktop PC era is coming to a close. Nobody is quite sure what'll come next but I'm putting my cards on a combination of some much improved iPad OS, Android or (more likely) ChromeOS. Right now these are the only contenders for the "usefully more secure than windows" crown.
Mainly because the current crop of Linux users are nerds. If the example Clueless family in my example exercised that level of caution, well, they wouldn't be clueless in the first place.
And if they were that cautious, they wouldn't get pwned in Windows either. I mean, it's not like that spyware crap was linked to from microsoft.com or anything.
The way they get pwned is more like:
Joe Clueless wakes up on a saturday morning, scratches his balls and goes to see if he has any email. Does he want herbal Viagra? Hmm, Jane has been faking too many headaches lately, maybe it couldn't hurt to at least look at the site. Just in case. Big fake UI popup tells him that he has 200 viruses on his system and needs to download and install the free Pwnage antivirus. Eeep, he doesn't want no nasty viruses on the computer he does his banking on, so let's hurry and do just that.
Next email tells him that the USPS couldn't deliver some package, and he has to run some attached executable to find out more details. Fuck, he wouldn't want to miss a package, so he dutifully does that.
Another emails tells him that the IRS wants something from him, so he does that again.
Next email tells him that hundreds of naked teenage babes are waiting for him at some .ru site. Well, Jane is out with the kid, maybe he has time to take a peek. Oh, he has to install this free dialer to see the pics. Well, sure, why not? He does that.
After clicking a bit around, another popup tells him that his computer has incriminating evidence against him and he needs to download and run this amazing browser history eraser. Teh oops. Jane might be pissed off if she sees porn sites in the browser history. Time to download and run this trojan too. He makes a mental note to complain about these browser devs who don't include that function already ;)
Meanwhile Jane comes back and wants to see which of her friends emailed her. That computer gets to add a cutesy minigame from an attachment, and another handy-dandy utility to remember her passwords, to its growing malware collection. While she's at it, she clicks on the www.i-pwn-u.ru link in another email to confirm her Paypal password again. She makes a mental note to whine about these idiots at Paypal who forget her password every other day and keep asking her to enter it again ;)
Little Timmy gets his computer time in the afternoon and gets his ass handed to him in multiplayer again. He googles for "counterstrike cheats" (or whatever game he's playing) and gets to some dodgy site where if you just download their keyboard and mouse driver, it can do a whole collection of FPS macros for you and make you play like a pro. (And also log the keypresses and send them back home, but they're not saying that.) Bweh-heh-heh, he'll show those guys in his clan who's teh uber-l337 FPS player.
Do you see any reason why in the same scenario they'd exercise caution about what they download in Linux, when they don't in Windows?
A polar bear is a cartesian bear after a coordinate transform.
I don't generally post this kind of thing, but please mod the parent up. I cannot stress enough how false assumptions are generally bad in terms of security. Yes, Linux is being attacked (successfully), as is Mac OSX. The attacks on home routers are particularly heinous as most people do not update/upgrade the firmware ever, and more of it is based on common Linux underpinnings.
Michael J. Ryan - tracker1.info