Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

When does self-responsibility kick in?

April 28th 2006 in Uncategorized

The Web site www.itnews.com.au has highlighted a Russian ‘smartbomb’ for purchase that allegedly targets unpatched PCS:
http://www.itnews.com.au/newsstory.aspx?CIaNID=31952


According to itnews, Websense has reported that 1,000 sites are using the smartbomb, which can be purchased for as little as US$10.00.


The worrying thing that caught my attention about the report is that according to the statistics from just one attacker site, over 1,770 PCs were successfully compromised via a vulnerability that was patched back in April 2003!!!  I find it amazing that there are still computers out there that are vulnerable to an exploit that was patched three years ago.


The second most successful exploit for the highlighted attack site was one that targeted createTextRange, which was patched on April 11 – Websense reports that 1,507 PCs were compromised via that vulnerability.


There is only so much that we, as computer professionals, can do to protect people from themselves. Sooner or later every computer owner has to take responsibility for their own PCs, for their own security, and for their own education.


We’re having an interesting discussion in a security focused mailing list at the moment about reports that Windows Vista’s outbound firewall abilities will be disabled by default because the corporate end of town want it that way.


Some of the reasons given for why the decision is ok are, to me at least, staggering – for example:


1. The average user is not going to be interested or will freak out;
2. Stuff may get through anyway;
3. If you force them to learn they’ll start using another OS;
4. The public doesn’t want to be educated;
5. Computer manufacturers/ISPs won’t like the cost of supporting confused users.


So…. computer manufacturers/ISPs won’t like having to wear the cost of support calls – big deal.  Let’s think about cost.  How much money do you think is spent fighting, for example, spam? Spam that comes from compromised home computers?  How much money has been and continues to be spent by corporations and private citizens paying for the bandwidth absorbed by said spam?  How many corporations have had to spend money on various attempts to ward off spam whether it be software or hardware solutions.  How many have had to upgrade their hardware to cope with the demand?  How much money do you think has been spent is fighting denial of service attacks from compromised home machines? How much money is spent fighting to take down phishing sites on compromised home machines? How much money has been lost to the criminals behind phishing sites? (the last report I read mentioned losses running into the millions).


Users who are not willing to educate themselves are a risk to themselves and other internet users.  Their compromised machines pump out spam; their compromised machines are used for denial of service attacks; their compromised machines are used to host phishing websites.


I am a finite resource; my associates are a finite resource; sooner or later we have to say “listen, you’re harming the community at large, get with it or get out’.


Therefore, if forcing users to ‘get educated’ ends up with their choosing a different operating system, then I’ll show them the way and shut the door behind them.  Its one less thing to worry about.  If forcing users to learn about and use things like firewalls and patching leads them to choose a different operating system – there’s the door.


If home users are not educated – if they will not take responsibility for their own machines – then spam will not go away, denial of service attacks will not go away, phishing web sites will not go away.  That’s the reality folks.


Another article at Eweek from earlier this month noted that “recovery from malware [is] becoming impossible:
http://www.eweek.com/article2/0,1895,1945808,00.asp


I have met Mike Danseglio (the guy who was interviewed for the article) – I attending training sessions that he held back in April 2005 in Singapore and still have his business card on my desk.  I remember how we left his sessions thinking “we’re screwed”.  I also remember that we wanted to cancel all the other sessions for the rest of the day so that we could continue working with and learning from Mike.


When I look at the risk to the internet community at large from compromised machines spewing crap I wonder how the heck people can say that not pushing for user education is ok. 


3 comments to...
“When does self-responsibility kick in?”

Oldfrog

That was good, Sandi, as far as you went, but why is MS still in denial about the validity of outbound filtering? You and I have both seen forums full of people already using this to protect themselves successfully. You and I know that there are companies out there making big bucks marketing the technology. So why is MS still denying the validity?

Could it possibly be because that capability gives the users a measure of control over the OS that they have never had before and that MS doesn’t want them to have? I hope that isn’t the reason because I don’t like tinfoil and look silly in a hat made of that. Tell me that they are misguided instead.



sandi

Ok, I do not believe that MS has decided on a stateful firewall for any ulterior motive. That being said, I believe they are wrong to bow to the requirements of their corporate customers. Instead of simply turning it off they could offer custom installations that allow for disabling of various features, but which leaves filtering on by default.

I am remembering many discussions, interviews and online articles read over the years since the Windows Firewall (then known as the Internet Connection Firewall) was first released which has left an overall impression that MS were not aiming to compete with products such as ZoneAlarm, Kerio and Sygate (all of which prompt the user to make a decision about allowing various programmes access btw) but rather wanted to give users protection from events like Blaster and Sasser – of course, the fact that the original firewall was TURNED OFF BY DEFAULT was a bit of a boo-boo, but they fixed that in XPSP2.

My understanding is that the whole point of the firewall was not to provide a comprehensive solution. I am remembering an awareness of the firewall products that were already out there and popular. My personal opinion is that if MS went head to head with established products they’d like find themselves in court.. again..

Now, how MS’ decision to provide basic protection from events like Sasser and Blaster, and not compete with established comprehensive products, transmuted into people believing that they are saying that outbound filtering is not necessary or ineffective, is not something I quite understand.

The primary reasons in the public space that I am seeing for the no-outbound-filtering opinion is that:

1) users aren’t going to understand the messsages or be able to decide what they can or cannot allow (svchost.exe wanting access to the internet is the number one example in such discussions); and

2) if malware is on your machine it is no longer your machine anyway and you are at risk of the firewall being bypassed (the ‘why bother because they might be able to get around it’ argument).

WRT users not understanding the prompts that may be presented about, for example, svchost.exe wanting to access the internet, I would love to see a company design a firewall alert that says is **trying to use svchost.exe** to access the internet. If the alert window could include the associated icon, details of the target path and pertinent information such as company name and product name from the file’s built-in version info, then all the better. If MS decided to introduce a more comprehensive product, that is the path I would like to see them take.

Here is the Windows Firewall FAQ – you’ll note they say that if you already have a third party firewall product then you should continue to use it:
http://www.microsoft.com/athome/security/protect/firewall.mspx



Ian Oxley (UK)

Thank you for saying so well what needs to be said. I hope you won’t mind if I quote you here and there! 😉

If “they” switch to other OS’s, those will just end up spewing out spam and crap anyway.


Boy… Monday was the sort of day that I don’t want to have to go through again any time soon.
As we all know, IE7 has been ‘layout complete’ since the March release, but, as the last few days have shown, sometimes things can go wrong.
Check out how my site looked in IE7B2 – nasty, yes?
 IE-VISTA […]

Previous Entry

Error message when you start Internet Explorer 6 on a Windows XP-based computer: “Runtime Error! Program: C:\Program Files\Internet Explorer\IEXPLORER.EXE”http://support.microsoft.com/default.aspx?scid=kb;en-us;916245
(I am wondering if the above should refer to iexplore.exe, not iexplorer.exe – there is malware that uses an executable called iexplorer.exe, but that doesn’t seem to be the target of this article despite the reference to running […]

Next Entry

Archives