% fortune -ae paul murphy

Securing the PC

An interesting report by Robert Lemos on Security Focus last week got me thinking about the money and effort going into what the PC people think of as "security."

What the report was nominally about was the difficulty PC defenders have in shutting down bot-net attacks where control moves across many hosts. Here are two key bits from the report:

Traditional bot nets have used Internet relay chat (IRC) servers to control each of the compromised PCs, or bots, but the central IRC server is also a weakness, giving defenders a single server to target and take down. An increasingly popular technique, known as fast-flux domain name service (DNS), allows bot nets to use a multitude of servers to hide a key host or to create a highly-available control network. The result: No single point of weakness on which defenders can focus their efforts.

Last month, two significant online threats -- the Storm Worm and a recent MySpace Web virus -- became the latest malicious programs to incorporate fast-flux hosting into their infrastructure. A recent Storm Worm infection, for example, connected to a bot net that had more than 2,000 redundant hosts spread amongst 384 providers in more than 50 countries, said analyst Baldwin, who is the chief forensics officer for myNetWatchman.com.

"That is what you would have to take down in order to shut down the bot net," he said. "It's already ridiculous trying to get an IRC command-and-control server taken down. Now, we are talking about a bot net, that in order to disable it, you have to take down thousands of hosts."

...

In late April and early May, networks of zombie PCs were used to attack the Web sites and infrastructure of the government in the Northern European country of Estonia. In June, the FBI announced that the agency had identified more than a million compromised PCs infected by bot software.

Bot-net controllers, also known as bot masters, typically search such systems for financial information and use stealthy keylogging software to record usernames and passwords. The systems are also frequently used to overwhelm corporate networks with garbage data in denial-of-service attacks or send spam advertising penny stocks, fake pharmaceuticals or job scams. At any given time, there are 1.5 million different zombie computers sending spam, according to security firm Secure Computing, which estimates that 50 million computers are currently compromised with bot software.

The real message, however, is one that seems to escape most of the people getting their daily deluge of this kind of information: PC security is a lost cause -and people who tell you otherwise are either lying or dangerously naive.

There are three main reasons:

  1. the PC security universe consists of mutually symbiotic attackers and defenders with both sides dependent on Microsoft and Intel for their cash flows - cash flows now amounting to billions of dollars each year and which both sides can reasonably be expected to lie, fight, and scheme to protect.

  2. the PC community lives in a state of perennial optimism (aka delusion): everyone agrees security is a problem - but it's always someone else's problem, never theirs. Personally, I have no idea whether the fifty million number put forth by the oxymoronic "Secure Computing" is realistic, but I guarantee you that essentially all of people responsible for those machines either don't care, are deeply ignorant, or are lying to themselves about their vulnerabilities.

  3. people selling PC products stress how little knowledge is needed to use them - and then sell the same people security tools that need both expertise and discipline to use. People often lack both - and as a result PCs may start clean but the combination of attacker progress with user mistakes or inertia leaves most machines essentially unprotected after only a few months of use.

The right answers are obvious: in the long run the PC community has to clean up its own mess - change or abandon x86, build a simpler, more reliable, OS, adopt effective self-policing, shift from defence by reaction to defence by prevention, and align its own monetary incentives with protecting, rather than exploiting, the customer.

Sadly I don't think those miracles will happen any time soon; so, in the meantime, what?

Not caring may be a perfectly reasonable strategy - one way or another that's what Secure Computing's fifty million people are doing and they can't all be wrong - can they? In fact, I'll bet there's a market for a hacker supported piece of open source software that simply lets people surrender by offering attackers 24 x 7 access to data and a controlled piece of the computing resource - trading off a hypothetical privacy and some bandwidth for freedom from security hassles and stress.

On the other hand, if you think security does matter to you, you need to start by defining what you actually care about. Remember that all the noise, losses, and excitement selling the multi-billion dollar "PC security" industry is based on the kind of mickey mouse attacks companies like Secure Computing focus on - and have nothing at all to do, except perhaps as camouflage, with longer term strategies aimed at creating and testing exploitable vulnerabilities national governments like that of Communist China can put on. In other words, if your security needs amount to little more than keeping up, albeit always in arrears, with PC attackers - then all you need to do is help keep the cycle spinning by contributing to industry revenues and hiring.

But what if security really does matter? then you have to abandon the PC: there are no other options. Get away from anything on x86, get away from Windows on anything, physically disconnect secure networks from each other and the internet, use humans to buffer all forms of electronic data transfer in which one side is supposed to remain secure, and start paying close attention to who writes your code - including the stuff you can't see in the ROMs and EPROMS you depend on.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.