May 6, 2010, 2:36PM
Have We Lost the Desktop Security Battle?
32 Comments
For years, security experts, analysts and even users have been lamenting the state of desktop security. Viruses, spam, Trojans and rootkits have added up to create an ugly picture. But, the good news is that the desktop security battle may be over.
The less-than-good news, however, is that we may have lost it. Jeremiah Grossman, CTO of WhiteHat Security, wrote in a blog post Thursday that many organizations, particularly in the financial services industry, have gotten to the point of assuming that their customers' desktops are compromised. And moving forward from that assumption, things don't get much prettier.
If we operate with this assumption, that the client is compromised (again
not unreasonable), then the good guys have ceded victory in the desktop
security battle. With over 1 billion people on the Internet, that is no
small loss. What’s worse is there are signs that the loss of the home
network could be permanent.
Botnets are starting to target and
infect routers and DSL modems. Scary, and a possible trend. Think about
what this could mean. Should this problem become pervasive, it
won’t matter if PCs are disinfected, swapped out, or replaced with
iPads, the bad guys are still control because they own the network
below. They’ll own DNS, the routers in between, and so on. There is
effectively little defensive countermeasures to protect home routers and
DSL modems, which are not exactly secure to begin with, or detect if
they’ve been compromised.
These are all reasonable assumptions based on real-world attacks that have been going on for some time now. Attackers have been targeting home networking equipment for a couple of years, using a combination of vulnerabilities in the firmware and hardware to get control of home users' outbound Internet traffic. It's an increasingly effective strategy for attackers looking to get control of large numbers of systems, without having to re-infect them regularly.
Most users would have no idea how to fix a compromised router or modem, if they were even able to tell it was infected in the first place. And the ISPs, cable companies and other providers have no interest--or expertise for that matter--in trying to identify and clean infected routers or modems. It's not their business model.
It's a bleak picture, but unfortunately, not an unrealistic one.
Commenting on this Article is closed.
Today's Most Popular
Most Commented Stories
Newsletter Sign-up
Take Our Poll
Follow Threatpost
 |  |  |  |
| Tumblr |
Comments
I've always operated under the premise that everything is insecure. This means using different browsers for different kind of browsing activities (one for doing e-baking and e-shopping, another one to read my personal Web e-mail, another one to read my corporate e-mail, etc.) to keep cookie domains separated and provide for isolation.
I also use different operating systems for different things. I avoid using Windows, and focus on Linux, Solaris and Mac OS X depending on whether I want a multimedia, server or desktop experience.
Also, I use OpenBSD for all networking infrastructure at home (firewalls, routers, etc.).
So far, it was worked quite well.
Saying ISPs have no interest flat isn't true. ISPs don't want to transfer any more traffic than necessary and are responsible when customers complain about a slow connection (no matter what the cause). Many ISPs have a virtual monopoly and should be responsible for maintaining their networks. It is pretty easy to tell on a residential connection that something is wrong. It is simple to enforce TOS and shut off users when they start acting as an open relay or have other recognizable traffic patterns that suggest an infection. Give users an opportunity to use ISP provided routers and gateways that can be updated remotely with blacklist based filters, and make the products a benefit of using the service and not a requirement.
This is a problem that will be handled at the ISP level because if it isn't handled by an ISP another will come along that offers a secure, functioning network and users will jump ship to the product that "just works".
My ISP doesn't even allow you to access your own IP from the WAN. It simply cannot be seen (unless you pay for a static IP). The IP you do see isn't really mine at all. Any malware would have to get through the ISP firewall and then mine.
Felipe Alfaro Solana (not verified) on Fri, 05/07/2010 - 12:54pm.
I've used nothing but Windows machines. I've never once gotten a virus or spyware on my computers at home. I do use Firefox or Chrome for browsing. Your paranoia has served you well, but my skill and abilities to keep myself from becoming a victim have served me well.
Please don't spread the FUD about Windows being to blame. The end users are to blame for a MAJORITY of things nowadays.
If you choose to use an OS written by college dropouts whose main proponents are gamers, then you will have to live on the losing side of the 'Battle for desktop security'.
I choose to use a professional grade OS and don't experience these issues. Drop Windows and use something else and you can feel what it is like to win this battle.
I cannot believe the vast amount of money being wasted in trying to secure Windows. Many people who think they 'need' Windows have never really tried to use anything other than Windows. They are making a completely uninformed decision.
P.T. Barnum would be proud.
Unix is not difficult. Open Solaris and BSD are free (as in $$$), and Mac OS X is not to costly when you add your cost of anti-virus and anti-spyware subscriptions to the price for your Windows box. Linux is not Unix, but the SE Linux kernel, developed by the NSA delivers a secure OS for home and business users. There are many easy to use alternatives to Windows that cost less or about the same. You will have peace of mind and cash to spare.
You know, when copy/pasting multiple paragraphs from another blog, both the left and right margins are supposed to be indented so that it may be differentiated from your own analysis of said text -- particularly when moving text around so you can have a link to the exact article being read.
bush league
I use Windows and Mac for work, Linux for home use. The point of the post is that it doesn't matter what OS you use: if your router and/or modem are compromised, the information going through them is compromised.
It is not too unreasonable to look to the world of biology to see that multicellular bodies are continually compromised in very complex ways, and that you can extend it as a metaphor to modern day operating systems. Viewed over the longer term, today's botnet infection may evolve into tomorrow's metaphorical stomach bacteria. The only way that happens, of course, is for the neverending battle between white hat and black hat to continue, or even to ramp up.
However, that sort of self-replicating self-improving outcome also requires that the demonizing of the form (i.e. "computer viruses are bad") get put to bed and replaced with a little more nuance.
Then again, it's just a metaphor, and that one's a classic -- mistaking the metaphor for the model.
@seanlynch: Call me when your "professional grade OS" runs the professional grade software of my Photoshop CS4 Extended that I paid for natively and without any glitches or extra work. What's that? It doesn't? "Use GIMP instead?" GIMP wastes valuable time. I left Linux for a reason, well, multiple reasons actually. That "college dropout" OS has the software I need, Linux doesn't, and it won't, because it isn't worth porting Photoshop to Linux because Linux people, in general, want free software. That's part of why they use Linux! They aren't, for the most part, going to pay for proprietary software.
Call me when I can't build a commodity tower as powerful as a Mac for half the cost. I don't have to pay for anti-virus, so you can't count that against it either. Macs are bloody expensive and I'm not going to put up with their limited ecosystem and upgrade paths.
You can whine all you want about how users are using a "college dropout" OS instead of a "professional grade OS", but at the end of the day, UNIX-based systems either don't do what I need, or charge me far to much for the privilege of doing it. This isn't to say that linux is "bad," but to assume that either option covers all use cases shows a serious lack of perspective, the same lack of perspective that causes many people not to take the FOSS community seriously.
By the way: I like Microsoft Office 2007 way more than OO.org, and to me it's worth the price difference. Just like Photoshop, it's that much better than its' FOSS equivalent.
"but my skill and abilities to keep myself from becoming a victim have served me well."
"Please don't spread the FUD about Windows being to blame."
You may have missed it, but this is part of the problem. You admit it takes a level of skill and ability (ie better than average OS knowledge) to keep your computer from being infected.
Yet, the Windows OS target market is those without your level of skill or ability. That is essentially the problem. So the "FUD" so to speak is being spread by those who are Microsoft's target customer's. So is it FUD? For those of us with IT backgrounds, or a certain level of knowledge, it's trivial, however from the standpoint of those not so computer savy (again the Windows target customer) it's horribly insecure and impossible to keep malware from infecting it.
This article takes it one step futher, you now have companies that are assuming that everything is wtfpwnd, so that means business users and IT departments are coming to the same conclusion about the OS, not just "Grandma".
So who's really to blame? Think there's plenty to go around, not just end users.
Is it imposible for a pardyme shift? Can't there be security/privacy by design? Why could we not have hardware encryption at the desktop? Each and every computer item (hardware, software, OS) could be designed first and foremost with privacy/security as the foundation for functionalty. There should be continued efforts toward somekind of solution. I know that there are many points of failure, from the back of the chair through the keyboard, via the browser, with a myriad of vulnerabilties to the end system and back. But all is lost as soon as we giveup on any new solutions. We have the computational speed to make extreme encryption viable at the lowest levals of the hardware, BIOS or what ever Apple calls their initial hardware wakeup call. There isn't any cure for stupidity, but ignorance needn't be quite so painful if security/privacy by design and implimentation is of paramount importance in every new technical product. I acknowledge the complexities of such a monumental task and that there isn't any easy answer for such an extremely complicated and complex problem, but we ought not give up trying to thwart criminal behavior or cower to Luddite-prohabitions.
I've used many Windows products with excellent anti virus software. The one of choice is Kapersky as they seem to update their data bases more frequently, thought it is not qujite as user friendly as Norton's. The more user friendly and anti virus is the easier it is to get compromised. Even Kaspersky is not invulnerable as malware is now embedded on ads in popular websites. For every day use I use Red Hat, again not that user friendly, always have to reinstall my third party video driver from run level 3 and is kind of a pain. But for an SE Linux system to be compromised would be a pretty big feat and if it does get compromised the spread is limited. Though Linux is free I chose to get support through RED Hat Enterprise. It was worth the 80.00
"There is effectively little defensive countermeasure"
OUCH.
People please read security white papers, the latest trends are not holes found in the OS but the applications installed, mostly adobe and java applications. Windows is much more secure then MAC OSX this is a fact, Microsoft also fixes holes quicker then Apple and that is a fact. What people fail to understand is that hacker’s target the most widespread which is Microsoft, why target a small market share? Using a MAC is not a guarantee that you won’t get lured into a social networking scheme, this is another trend that is greatly on the rise.
If hackers attacking home networks is on the rise then they will go after the most common, which would be as simple in my mind to find out who the largest ISP is and determine what the most common router they use would be. Something else to think about Smartphones outnumber PC so expect things to get worse for them as well.
I agree that there is plenty of responsibility to go around with respect to this issue. But I'd like to add a couple of things:
1. With technology has come an increasingly fast-paced lifestyle. It's getting harder and harder for many of us to keep up. Solutions, on the part of the end user take time, and maybe some money.
2. Isn't it just possible that the stated attitude about how "the battle is already lost" is another propaganda message from large companies? It's a perfect message-"We're giving up now, because the battle has already been lost". The subtext may be "Oh, and conveniently for us companies, we won't have to put another nickel into security based on the above assumption".
Infected modems and routers increase the likelyhood of being targetted by man-in-the-middle attacks. This doesn't really change anything fundamental and there have been solutions to this available for some time: Authentification through trusted third parties.
If certificates are issued on physical SIM cards and never moved over the network, or even onto a client machine, then full protection against man-in-the-middle attacks can be provided.
You're all correct, and all wrong :)
First, computing is really in a lousy state. In spite of the fact that a lot of years have passed since the dawn of the computer age, the industry is barely in a juvenile state.
Operating systems and applications are written in languages and with methods that are really clunky and not secure by their very nature. The claim that the battle has been lost is probably a valid one. The war, on the other hand can be won in the future, but it will take a major rethink and redesign of languages, OSs and applications.
Market inertia is the enemy. Look at Microsoft and Windows. The only way to really fix it is to redesign it from scratch. But that would mean devoting resources to a major project - resources that could make for great short-term profit.
Linux has a different development model, and it is seeing a certain amount of bloat and cruft simply because it has been around so long. While the Linux security model (borrowed from Unix) is better than that of Windows, it is not impenetrable either. While OS X is more "Unixy" than Linux, it is also not perfect. In order to fix them, you'd have to start over, too.
The point is that all have their problems, while Windows is the worst for a variety of reasons, it is not alone. Then we get into the modems and routers (a lot of them running customized Linux) and we have more opportunities yet for security problems.
In short, it's not the OS, application or embedded system that is the problem. They are the results of an immature industry that will take a long time to grow up. When it does grow up, software in its various forms will be written in a totally different manner with completely different tools and languages.
In our home network we have some simply rules we follow. We use all windows machines and they get the occasional malware but that's it. We dont use automatic update, no active virus programs or specific sw firewalls(except the xpsp2 one). The rules are this.
1. A good gateway/firewall with occasional restarts or firmware upgrades.
2. Users never run with administrative priviliges, ever. Only installs should ever require it. If an app must have it, we dont use it. Most games will not need it.
3. Only use IE when sites dont support anything else.
4. Use common sense when browsing. Dont run random apps.
The few times we have been infected by malware is because of IE use. But even then it is easily removed since the sw didn't have administrative rights.
Hey,
No, we have not lost the desktop security battle.
At least, LANDesk's customers don't have this feeling that the security battle is lost. Quite the opposite.
If you are using AV and Spyware protection and the Automated Patch process to keep patched, you are covered on everything except zero day devices. If you deploy LANDesk's Host Intrusion Protection (HIPS) then you are safe even from zero day viruses.
Not that I feel married to any particular O/S, but I do not understand your belief, true or not, there is a "...vast amount of money being wasted in trying to secure Windows."
I use that O/S, and it is not costing me anything other than the intial purchase price. Patches, hotfixes, etc., are included for the life of the O/S, and reasonable security software is available for free (e.g., Security Essentials, AVG).
These days, risk is best mitigated by behavior.
See, you're the typical Windows-hating user who will not shy from saying just about anything, true or false, just to spread his hate of Windows. I mean, I don't care if you like a certain OS or not, that's your right and your business, but to call Mac OS secure, or Linux...common. I thought people who read these articles were knowledgeable, or at the very least informed. It's embarassing to see this sort of post. It's annoying enough on the daily news where the computer expert is the guy who knows how to make a cd copy but here :(. I think, at least I hope, most people here are well aware of the gaping security holes in product such as Mac OS or Google Chrome that went unfixed for quite a while. And you mean to tell us that with all the flavours of Linux times the number of kernel recompilations that security is not an issue?
It's a numbers game. Windows is dominant on the market and generations of users/programmers/hackers have grown up with Windows around. So it's Microsoft vs the world. Sooner or later someone out there will find a flaw. Of course that does not happen with Mac or Linux because, unlike everything else in this world, they're perfect.
Funny how you never here people like Linus Torvalds make such comments. They actually know what goes into the making of an OS.
I would think, considering the information your dealing with, financial etc... to believe a desktop is compromised or could become compromised, would be a standard security protocol and planning around this should be standard practice.