The myth of computer security
by Andy Kaiser
Article ID: 1411
“The computer: an extension of the human intellect.
…soon, the ultimate tool will become the ultimate enemy.”
Let me tell you about a myth, a story, a fable that’s been concocted and perpetuated by certain groups in the media. It’s a story about how – with proper protection – your computer is immune to cyber attacks, viruses and other malware.
That’s the story but it’s not true. I’m talking about the myth of computer security.
There’s no conspiracy here, just unprepared software. Microsoft and various security companies are doing their best against the bad guys, who are attacking faster and more creatively than the good guys can keep up.
The days of the independent lone hacker are gone. They’re still around, of course, but the brunt of the malware industry is focused at a much higher level, where the bad guys are multinational groups, or are sponsored by enemy governments, or are run by organized crime syndicates.
So yes, there is a war. And the good guys are not winning.
With increased complexity comes increased chance of failure
The problem is that the methods of computer attack are so advanced, we need extremely complex software to protect against them. It’s so complex that security software sometimes causes more problems than it’s worth.
In May of 2010, the “Sunbelt Vipre Enterprise” antivirus software released updated versions of their malware protection, which they do multiple times per day. However, the update versions 6272, 6273 and 6274 caused the PC CPU to max out, essentially making the computer inoperable. The fix was to kill the Vipre process long enough to install the quickly-released patch, often requiring a system reboot.
That’s not too bad, right? It could be worse.
It could be, for example, like what happened in April 2010 with the McAfee VirusScan Enterprise product’s recent update version 5958. That update mistakenly identified a critical system process as being a virus. The result is that affected computers would crash and bluescreen and would no longer boot. The fix usually required a few minutes of physical access to the PC. Some unlucky users had to reinstall Windows.
I’m picking on these companies because they were recently in the news at the time I wrote this article. I can easily blame other antivirus products as well. In fact, I love McAfee VirusScan Enterprise – I’ve personally recommended it to and set it up for many of my clients. Same with Sunbelt’s Vipre Enterprise – in fact, that’s my employer’s current software of choice. They’re good products. But the very nature of what they’re meant to fix makes them complex, more invasive and unstable.
[Author's edit: Many readers took the above to mean that I endorse or recommend all versions of McAfee. Not true. I hate the preinstalled and retail McAfee junk. But the corporate-level, partner-resold McAfee software – "McAfee VirusScan Enterprise" is a good product, and is something a home user would never see. This is the only McAfee product I like. Unlike their bloated, ugly home versions, VSE is lightweight, has a tiny footprint, is super-functional and customizable, and is easily managed.
My goal in writing this section was not to recommend any AV package over another, but just to illustrate that no solution works really well, and all are open to self-inflicted damage.]
Remember that in the above cases with Vipre and McAfee, I’m not talking about single PCs in someone’s home. I’m talking about centralized networks of hundreds or thousands of computers. How would you like to be an IT admin that day, when you realize that one thousand of the computers you are responsible for are completely out of commission?
Phishing and user tricks
The previous examples are just problems where our protection fails us. But there is yet another class of malware, the kind that either tricks the user into installing it, or a kind that completely bypasses normal defenses.
Do you use Facebook? In May of 2010, thousands of Facebook users got messages from friends with this text:
“this is hilarious! lol :P :P :P Distracting Beach Babes [HQ] Length: 5:32″”
You being a red-blooded horny person, you click on the link, accept an installation prompt, and – boom! – you’re infected.
Okay, so you made a mistake. Fine. You then go to a security seminar to learn more about protecting yourself. And who could better teach us than the technology giant IBM?
So you’re at the conference, and among the freebies IBM hands out are flash drives. You plug one into your computer, it auto-runs, and – boom! – your computer is infected.
This did happen to IBM at the May 2010 AusCERT security conference. IBM was one of the conference’s “Platinum Sponsors”, and they did hand out a bunch of virus-infected flash drives. Their response to fix the problem included these steps:
Turn off Windows System Restore (I estimate the time to do this is less than a minute)
Update your antivirus software and scan your system (perhaps an hour)
Scan your system with a second antivirus software (this would take another hour)
Back up all vital files (this might take 1-3 hours)
These aren’t so bad, until you get to the kicker:
As a “precautionary measure”, reinstall the operating system (based on the number of programs you have installed, this would take a long time and would require a lot of effort)
Did you notice anything about all of my examples? They all happened within two months of each other. I wasn’t even trying to do that. It’s easy to find such examples, and these just happened to be the most recent when I wrote this article. And they’re all high-profile with big impacts, both in time and money.
None of these examples take into account a far more insidious attack vector: your own system may be compromised without you knowing it. Such systems are controlled by bad guys from a centralized location. Groups of these invisibly-controlled computers are called a “botnet”. Like an invisible on-demand army, a botnet uses your computer to attack large organizations (including government networks), and because of their large numbers are very effective, and the attack controller remains anonymous.
You can be infected and your computer brought into botnet control by rootkits and other hard-to-detect viruses. Methods of infection include everything already mentioned, and flaws in frequently-used software like Adobe Reader, Adobe Flash and Java.
Let me be clear on this: even if you have the latest Windows updates and up-to-the-minute antivirus software, you can still be infected with a virus. Easily.
So that’s scary. But let me be even scarier: even if all possible software is updated on your computer, you can still be tricked into installing something, including via email or by simply visiting an infected web page.
You may never intentionally install anything. You may not realize you’re being infected. But you are. And you’ll never know it.
The immune: Apple and Linux systems
With all the above said, there are people who will - rightly – say that none of this applies to Apple or Linux machines. At the time of this writing, it’s true. Apple and Linux machines aren’t targets. Yet. This article only addresses issues with computers running Microsoft Windows. I did this because Windows is the most prevalent – currently taking about 90% of the market share – so it applies to most people. But at the rate Apple and Linux are climbing in popularity, their time will come. If they become prevalent enough, they will become targets, and they will be attacked.
If you’re running Windows, the security on your own systems is best protected by doing these things:
Don’t visit bad sites: I know this may be hard for you to do, particularly for you porn lovers and file sharers (neither of which, in my opinion, are inherently bad things). But those sites contain a higher-than-average chance of exposure to virus installers.
Spam protection: Whatever your email method of choice happens to be, make sure you have spam protection. You’re taking chances without it. Even if you never ever EVER click on a link within a spammed email, you can still become infected simply by opening a bad email (via an attack method called HTML scripting).
Educate the users: this is the hard one, but in today’s world it’s required. You don’t drive a car without learning about gas fillups, tire pressure and oil changes. And you shouldn’t use a computer without knowing how to maintain its security. This includes knowing how to update the parts of the computer that need updating, and knowing what behavior is normal and what is not. In my opinion, this should be required on a personal and corporate business level – particularly when user PCs have exposure to paychecks and bank accounts and other sensitive information.
The future of computer security
What’s going to happen next? There are a lot of possibilities, but I personally have a more pessimistic short-term outlook. I believe things will get worse before they get better. Malware writers have done some bad things, but haven’t yet affected governments and top-tier businesses enough to force significant changes.
And that, unfortunately, is what the industry needs. Without a large-impact attack, the industry (particularly Microsoft) has no real motivation to make significant, costly, fundamental changes to the security of their products. I don’t want this to happen, but I fear that’s what we need before we’ll get a proper fix.
In the meantime, what can we do? Speaking for myself, here’s what I do:
I keep everything updated. I pay attention to where I’m browsing, what sites I visit and what’s happening to my computer. I know enough about attack methods to realize when something isn’t right.
The most important point: I backup all important data.
Don’t be too depressed. The ratios are on our side: given the sheer numbers of PCs out there, most of us are a tiny fish in an ocean, and the predators probably won’t notice us. Our own obscurity is our protection.
But if you’re hit by a random or directed attack, good luck. Current computer security is so weak, so easily compromised, that even a supposed “properly protected” system is vulnerable to complete takeover. Weaknesses include the system itself as well as the always-flawed human user. So protect what you can, and educate to the extent you value your systems and data.
It’s an ugly world out there. And this article doesn’t even address the newest, up-and-coming attack vector: cellphones! But relax – the next time someone sends you an instant message, I’m sure you’ll be safe.
“You won, okay? This is just a game!”