Earlier today I was called by a journalist for my industry to ask some follow up questions about some statements I had made to an author… and it showcased to me just how far we need to go to get people to care about Computer Security.


—————————


Thanks for the follow up call regarding the article that was written for _my industry journal_.  I am concerned a bit that you stated that your reviewer of the article did not understand that running with administrator rights on our systems is a key factor of why we get malware and spyware on our machines.  By all means forward this email and my email address to him or her and I’d love to discuss this in greater detail.


In my own office I had a Secretary that was getting malware and spyware on her system and the antivirus and spyware tools would not stop them.  Remember that such software is always ‘reactionary’ and not proactive in defense.  Since I took the time to adjust her system to run without administrative rights, she can no longer surf to sites and download icons and emoticons that I have not authorized, she can no longer merely ‘surf’ to web sites that may infect her system.


Two actions can get malware on a system typically in my office.


1.  Clicking and downloading from web sites that are designed to ‘trick’ the user into installing spyware.
2.  Surfing to a site that injects the spyware into the system because it piggy backs on unpatched web browsers, Sun Java or other ‘infection’ means.


Now given that I keep my web browsers fully patched, the second risk is lessened, but unless we stop the end users from downloading and installing software that they are truly not authorized to install, we will always be one step behind the bad guys.


Moving to another web browser is not the answer in the fight against malware and spyware.


Let me point you to a couple of articles on this topic:


http://www.thechannelinsider.com/print_article2/0,1217,a=166172,00.asp


http://blogs.technet.com/jesper_johansson/archive/2005/11/30/415328.aspx


“Barring users from gaining administrative access—and thus restricting their ability to install such unwanted or malicious software—will automatically tighten security and will garner other benefits as well.”


Spyware and Malware was voted number 10 of the Top Tech issues by the CITP and ISACA members in an AICPA poll recently.  Spyware and Malware is big business that includes Russian mobs and other criminal elements.  By not doing all we can to protect our weak links in our firms…the desktops… we are playing right into their hands.  Firewalls do not stop this activity.  Antivirus and Antispyware are always one step behind.  As long as we do not control our desktops and instead rely on the ability for our end users not be be ‘tricked’ and ‘scammed’ we cannot adequately protect our systems.  The average user doesn’t want or need to be a geek, but we in business need to protect their systems accordingly.


http://www.crt.net.au/etopics/migmaf.htm


Vendors like Quickbooks that consistently require “Administrator” rights also impact our security decisions.  I built a web site to highlight these vendors www.threatcode.com They don’t have to care about coding securely because we… the buying marketplace does not care.  We do not care because we do not know why running with administrator rights is dangerous.  It’s a vicious cycle.  Because the marketplace doesn’t care, the vendor won’t change.


To give credit to Intuit, the maker of Quickbooks, they have stated that they will change the way the 2007 version of the software is built to be more secure.  But this was only after the SANS.org organization made them their first “Hall of Shame” vendor for coding in this manner:


http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=59


Application Vendor Demands Unnecessary Administrative Privileges Violates Policy of Least Privilege

This new section allows the user community to share intelligence on applications that require users to lower their barriers to cyber attacks. Now that the US Air Force has established a minimum standard of due care, soon to be adopted by other government agencies, there is a standard against which to measure the application designers’ security decisions.

The first inductee into the Application Security Hall of Shame is QuickBooks.

The latest release of Intuit’s QuickBooks, widely used by accountants and businesses, negates the security attributes of the underlying operating system (e.g., Windows) on a computer using this Intuit product. Installation and operation of QuickBooks requires granting operating system “Administrative privileges” to the user, giving users complete control over the security features of the computer on which it is installed. In an enterprise setting, this hinders the organization’s ability to ensure security policies are implemented appropriately for password control, user privileges, and other security disciplines for a computer with QuickBooks installed. This is an unfortunately perfect example of an application software product demolishing the security capabilities of the underlying operating system. Computers with unprotected operating systems are easy pickings for would-be intruders looking for personal identity and financial information in QuickBooks files.

In response to Newsbites’ recognition, Brad Smith, senior vice president of QuickBooks, confirmed on December 2, 2005 that this problem will be fixed in the next major release (QuickBooks 2007), scheduled for delivery within 12 months.


————–


Bottom line… as long as we don’t know…don’t understand…. we won’t care.  We won’t ask for vendors to make the software help us be more secure.  We and vendors both have to understand that that least privilege is an absolute minimun in this day and age of security issues.

 

Comments are closed.