Wednesday, October 15, 2008

Security - ur doin it rong

Yeah, you. Not your fault, though - seems pretty much all the security products are teh sux0rz:

Security software suites don't protect users from real-world exploits, a bug tracking company charged today after launching 300 test attacks against a dozen programs, including popular software from McAfee Inc. , Symantec Corp. and Trend Micro Inc.

"The Internet security suites are marketing themselves as the one solution users need to be safe online," said Thomas Kristensen , chief technology officer at Secunia Inc. , which ran the tests. "In our opinion, that's just not true."

OK, so most security products aren't very good. Just how bad are they?
While Symantec's Norton Internet Security 2009 took honors, it detected only 64 out of 300 exploits, or just 21% of the total. Even so, that beat most rivals by substantial margins. Trend Micro's Internet Security 2008, for example, only detected 2.3% of the exploits, while McAfee's Internet Security Suite 2009 identified 2% and Microsoft's OneCare spotted just 1.8% of the exploits.
One out of 5 attacks stopped. Or one out of fifty. Probably a decent definition of "teh sux0rz". The Internet Security Advisory System is set to "Martinis".

So what does this mean for normal people (like you)? Nothing good, I'm afraid.
  • If your Windows computer is older than 6-8 months, you should probably assume that it's already been taken over by malware. The malware is much higher quality than it used to be, so it probably doesn't crash all the time like it used to.
  • If you use Internet Explorer as your browser (and Sitemeter tells me that a bunch of you do), then your computer is probably pwned if it's 3 months old.
  • If you don't have a firewall in your DSL/Cable router (Linksys, D-Link, etc), or if you have one but don't have it turned on, you should assume that your Windows computer is pwned if you've had it more than a couple hours. No, that's not a mistake: it's actually 4 minutes.
  • If your computer is acting goofy, I would assume compromise, rather than hardware failure. Of course, I was trained to be paranoid by the finest security paranoids in the free world.
Sigh. Yes, it really is as bad as this.

So here's what you should do:
  1. Back up your data. Really. 500 GB USB hard disks are cheap. Get one, and use it. Do not back up your application files - these are all suspect if the computer is pwned. And for you smug Mac fanboys, you should do this, too.
  2. When you're done, completely reload your Windows OS from the recovery disk that came with your computer (you do still have it, right?). No, I'm not joking. The reason is that once you think that your computer is compromised, you can't trust any of the programs on it. Blowing it away and restoring it to a known good state is the only solution. And you Mac fanboys can stop grinning - I'll come back to you in a bit.
  3. Install fresh copies of your apps (iTunes, Firefox, etc), and then restore your data. You're now back to a clean computer, but you want to take a couple more steps so that you won't have to do this again in 6-8 months.
  4. If you use Internet Explorer, just stop. Get Firefox for day-to-day browsing, and Opera for financial transactions (and only financial transactions).
  5. Install VMWare. Chris Byrne had a good post about virtual environments a while back, so I won't go into it much, except to say that VMWare lets you run a complete, virtual computer inside your computer. You're going to set up a VMWare image where you do all your "risky" activity. Basically, you're going to have your games, office apps, iTunes, and Opera on your real computer, and your regular browser in the virtual image. Since that is the primary risk, you want to make it easy to reload the image.
Oh, and get yourself a stinking firewall, if you don't have one. If you're about to buy a computer, get a stinking Macintosh (or even better, Linux!).

This isn't bulletproof, but it means that you're much safer from malware, just because it mostly won't come into your real computer, and you can easily reset your virtual one to a known good state. This means that you're much, much less likely to get pwned and have to rebuild your computer (or worse, have your personal info stolen).

Now to the smug Mac fanboys, a couple of points:
  • Back up your data. No smirking allowed until you've done that.
  • Mac really isn't much more secure than Windows. It is a little, but the real reason there's not much malware is that Apple's market share has been tiny. That's changing - 10% of new computers are Macs, and that's growing. If things keep going this way for 2 or 3 years, you cn expect a load of malware targeting OS X. Since "everyone knows that Mac is secure" it will be a target rich environment for the Bad Guys. It's a Bad Moon Rising.
I'll post tomorrow on how to set up a VM image for your day to day browsing, and how to reset it when you're done to keep it clean. I'll also discuss why things have gotten so bad (Cliff's Notes version: the Bad Guys are making a ton of money on malware).

Sigh, again. Sometimes I think that Tam has the right idea, running old Macintosh computers. She's right, nobody would spend time trying to hack OS 9. I presume that she's happy not getting new apps (which nobody is writing for OS 9).

Sigh again, and yet again. Folks, this has been my life's work (with a bunch of other, smarter folks), and it looks we've utterly failed. A few of my regular readers are system administrators and generally wicked smart computer guys. Please comment, folks. Is it as bad as I'm making out?

UPDATE 16 October 2008 17:50: Part 2 of this post continues here.

2 comments:

Anonymous said...

Dude, you worked for NSA? Sweet.

As for malware and the like. I embraced the horror and just rebuild my box every few months.

Borepatch said...

It sounds more glamorous than it is ...

And the downside is that it makes me rebuild my systems, just in case. :-p