(Fear, Uncertainty and Doubt)
and the Secure Computer
This is the first of a series on the security concerns around technology today, with emphasis on the SOHO and home environment, but applicable to virtually any enterprise that doesn't have its own security personnel.
A bit of history
I don't know about you, but I remember the first time I ever saw a virus infected computer. I don't recall the exact date, but it was in late 1989 or early 1990. My friend Ken phoned me up and said "my system says its stoned - what's going on?" Prior to this I was certainly aware of viruses because I had been hooked up to the UseNet News system since around 1983, and had read all sorts of articles and postings on the evolution of Trojans and viruses in various systems. (for a brief but interesting history, see Robert M. Slade's History of Viruses (1992) The point is that I had not seen a virus because I didn't run any MS-Dos systems, either on my computers or those of my customers.
At that time the virus was transferred by people using floppy diskettes from an infected computer on an uninfected computer. The virus buried itself in the boot sector of the floppy (or in a program run automatically at boot) and when the floppy was used to boot the clean computer, the virus infected that too. Because this was a physical process - walking to another computer - the virus spread relatively slowly compared to some of those today.
Today's viruses, Trojans, worms, back-doors, and all sorts of permutations and combinations are collectively called malware for malicious software, and there is a whole industry that has grown up around it. This series of articles will look at all aspects of malware from the point of view of the business owner/manager.
Malware - why and how it spreads
In general, malware spreads due to inadequate security. This sounds like I'm putting the blame on those who are infected rather than on the creators of the malware, and in part I am. The point to understand is that I'm not necessarily putting the blame on the owner/operator of a computer - but rather on those who create the systems that run on the computer. They, the creators of the operating systems and programs have failed to create a secure environment.
|Of course it is always possible for the operator of a computer to be the problem even if the computer and its software is as secure as possible, but that is a different problem that we'll deal with in another issue.
Malware exploits the insecure environment to change and infect critical system files, read system settings, and use system resources to propagate itself. The various exploits are being found and taken advantage of at a much higher rate than when viruses were propagated only by physically inserting a floppy disk. The reason for this has to do with the synergies of the Internet and the age of the Information Revolution.
Today, a criminal cracker in one country might find a vulnerability in an obscure piece of a computer software package; e-mail the details to someone in another country; test it, publish a "root-kit" or "script" that can be used by a "script-kiddy" to create other similar attacks, and compromise several thousand or even millions of computers in a single day.
The information on how a particular system works and ideas on what things to look at might be discussed on an Internet Relay Chat (IRC) system with several "black-hats" listening in and commenting, all in real time yet from anywhere in the world.
|Prior to the Internet, this type of gathering would have been done by using the phone system (phone phreaking, breaking the long distance system to get free calls) but most of the topics were in fact on how to deal with the phone company's computers because there were hardly any general purpose computers "out there".
The creators of the floppy propagated viruses used the UseNet News system in its early days, sent from system to system by dial-up modem so it might take all day for a message to get from Vancouver to New York for example.
It is only with the advent of large-scale purchase by business and the public of similar computers, coupled with the speed of discussion via the "always on" Internet and the speed of propagation of the use of the Internet to spread malware that has caused today's problem.
It might sound like it really takes quite a bit of work to make a virus or worm that can take over many computers automatically and get them to do the cracker's bidding. In fact, for many (most) of the systems that individuals and small businesses use, there really isn't much that has to be done to cause you grief; the computer you are sitting in front of actually has been programmed to make it easy, purposely!
All I can say is "It seemed like a good idea at the time"
The most common desktop environment of the past 15+ years has been Microsoft's Windows of various flavours. One of the design goals appears to have been the recognition by the system of items received by the operator via e-mail (and later via a web browser) that could be "active", doing things like playing a sound (voice-mail), showing a picture or video (video-mail) or running a "cute" program that did various things on the desktop. All this was done with the objective of making the computing system "easier" and "more fun" - but it was also all done with only a benign or friendly local network in mind.
|At the time that MS-DOS and its graphical user interface (GUI) Windows were originally created, the concept of hooking any PC up to a network that might have unknown or malicious people also hooked to it was simply not considered. The only network it would be hooked to was a Local Area Network (LAN) where all the other computing devices were known and under control of a small number of trusted people.
This all changed in early 1993 with the release of a piece of software that allowed the PC to hook up via telephone modem to the fledgling Internet. Even this would not necessarily have been all that problematic except that the Internet itself was also undergoing a change; from the captive, controlled, US Government funded network to a wide-open wild-wild West type of commercial, unregulated, ubiquitous connection facility for the world. It became possible for someone on another continent to directly talk to a PC on your desk. It also became possible for someone who was neither known by others to be honorable or friendly, nor bound by any acceptable usage contracts, to get access to the Internet in general to do pretty much as they pleased.
Much of even this problem might have been eliminated or at least mitigated if Microsoft had taken the move of abandoning the older DOS-based operating systems and programs completely and going with a completely different design that was not trying to be backwards compatible. The problem seems to be that they didn't want to lose the ongoing market - it would have been a tremendous change in the way things worked and would have caused a large hiccup in revenues. Windows NT and 2000 in fact have the makings of a much more secure computing environment, but the backwards compatibility and continued insistence on auto-magic program execution under insecure conditions simply didn't help.
Don't get me wrong, Microsoft was certainly not the only company with problems, they were simply the one that had the largest installed base and presented such an easy target that for a long time, nobody really bothered to go after anyone else. This is changing.
|Today there is less "low hanging fruit"; easy pickings in the wired world.
The problem is that the pickers have now had the time to invent the equivalent of ladders and automated fruit pickers and they're now going after even the tough ones.
Today (mid July 2002) I saw an article that showed that the number of different attacks on Linux this year to date was already over 50% higher than the whole of last year; some 7900+ attacks to July compared to around 5000 for all of 2001. In the same article it noted that the attacks on Windows were down about 20% over last year - but didn't give a real number to compare. I expect the same thing to happen to the new MAC OS/X since it is based on Unix as well. The point is that there are still a lot less Linux and other Unix systems than there are Windows systems, and it is still a lot easier to go after Windows; but it is getting harder.
Of course the other thing to note is that it is much harder to find a problem with Linux than it is with Windows. This is not obvious, since Linux is "open source" and Windows is proprietary. It would be logical to think that being able to read the source code for the whole system would make it much easier to find a problem than having to reverse engineer or simply play with an already running system.
It may look logically easier but it isn't. There are a couple of reasons for this:
- Linux has a multi-layered security model at its base. The typical user is not able to run a program that can damage anything the user's account doesn't "own" on the system. This coupled with the convention of either not allowing or not encouraging the owner of a system to run normal programs as the "root" or super user makes the system quite a bit harder to subvert.
- The fact that the source code is available has meant that far more people than any single company could possibly employ have been looking at the code with the intention of eliminating security holes and bugs. This multitude of eyes has caught and fixed many bugs rapidly and efficiently. Because the source is available, many of those who find problems also propose and implement fixes.
On the other hand, a proprietary operating system (and there are far more than just Microsoft in this boat) has only the eyes of the few (or few hundred) or so directly involved with a particular part of it who are even allowed to see the source code, let alone fix a problem. In Microsoft's case the even worse concerns have turned out to be:
- Even in the newer (NT/2000/XP) multi-layered security Windows systems, the typical single user system is run as "administrator" and there are few, if any warnings that this is not a good idea. In fact, there are many programs put out by third parties that simply won't run except as administrator. Worse, some run as the "normal user" but manipulate the system to give that user administrator privileges without telling them or others what has been done! This shows that the conventions of the developers, encouraged or at least not discouraged by Microsoft, do not take into consideration security concerns.
- The source code for the various Windows systems is not available to any but a very tightly controlled small number of developers. The number of eyes looking for problems is small, and it is not possible for many who find them (by experiencing them on running systems) to fix them. In fact, until only recently Microsoft was very reticent about even admitting that security problems existed.
- The overall system design, whereby files of commands from unknown and untrusted remote systems are automatically and in some cases silently executed with effectively unlimited permission to do anything to the system.
So we know we have systems that are prone to malware attacks. What if we had systems that were flawless, ran only programs that came in a box from a recognized vendor, on CD-Rom, and ran all incoming attachments in a protected environment that could not be automatically subverted?
Well, now we get into the problem of the user, and protecting the system from things the user does that might be harmful in themselves, or that might compromise the security of the system in some fashion.
The next article deals with the security of the user.