Friday, March 26, 2010

Security: We have achieved a state of FAIL

I've had a couple people ping me recently about their computers which were "acting weird" and presumed infected. I also spent the better part of a Sunday afternoon at the home of one of our friends, who had not one, but two computers infected.

In all of these cases, the computers had up-to-date antivirus.

It's time to declare FAIL. There is so much money in computer crime - a $Trillion in 2008, we're told; the TJX hacker was just sentenced to 20 years in Club Fed for his role in a $200+ M breaking - there's so much money that the attackers are increasingly able to get past the defenders. I mean, you can discount a trillion dollars a lot and still beat the Computer Security industry by a factor of ten.

So what do you do? Note that I'm talking to home users now. Corporate attacks (the dangerous ones, anyway) are different, with different motivations, goals, techniques, and defenses.

Home users need to chose one of the following:

1. Move from Windows to Macintosh or Ubuntu Linux. People with little appetite for computer stuff should bite the bullet and pay the Apple Tax; people with a high tolerance for mucking around should move to Linux. Note that Ubuntu is designed to be easy.

It's not that these Operating Systems are more secure than Windows - they are, but Microsoft is actually closing the gap pretty fast. It's that they're a much, much smaller target for the Bad Guys. If you run on these OSs, there are many fewer people writing code to attack you. "Many fewer" means "probably 90% fewer, possibly more than 90%, possibly a lot more".

2. Make your Windows system easy to recover. Corporate IT departments long ago shifted to a strategy of "nuke it from orbit and reinstall" for infected computers. The moved this way because it was too hard to keep from being infected in the first place. The dirty little secret of the security industry is that antivirus products have maybe - maybe - a 50% chance of detecting new malware. The smart money is that the chance is more like 20%.

Think about that - a four out of 5 chance of missing the new attacks. No wonder everyone's getting infected.

Keep all your data in your "My Documents" folder (the computer will want to do this naturally, so this isn't too hard). Every day or two - at at a minimum, every week - back up your "My Documents" folder to an external location. I like these, although you should read the comments to that post.

Make sure you keep your "Restore CD" around. When you think that your computer may be infected, don't bother trying to fix it. The Restore CD will give your computer that "new computer smell", and then you can copy your files back from the backup location. Don't forget to run Windows Update, which will automagically get you the latest security fixes.

Yup, your strategy on Windows is "Nuke it from orbit and reinstall". Just like the corporate guys do.

And whatever you do, do not run Internet Explorer 6 or 7. Ever ever ever. IE 8 is OK, Firefox is better, and Opera is probably best of all. I'd steer clear of Safari if you're on Windows because they don't have a very good security update mechanism.

It's a bit humbling as a security guy to have to say that it's Game Over. But it is, we need to recognize the world for what it is, and be prepared to deal with it.


bluesun said...

What really sucks with that is the recent trend for computer programs, such as games, to have the "3 installs and then you're up the creek" thing. Then, with some computers, they don't come with the actual install cd. Sometimes, the world just seems to work against you.

Marcus said...

Chrome is currently the only browser still standing at this year's CanSecWest Pwn2Own "exercise". Tony Bradley's article is a decent view on it.

JohnK said...

for another view on "It's that they're a much, much smaller target for the Bad Guys...." see The Myth of “Security Through Rarity”

Arthur said...

"They moved this way because it was too hard to keep from being infected in the first place"

Personally I think the entire quote "nuke it from orbit - only way to be sure" is a closer match.

Ripping out rootkits and various garbage is just hard to do with any certainty without a complete wipe.