The volume - if not the variety - of malware samples has undergone almost exponential growth over the last three years. Malware samples reached 5,490,960 in 2007, five times more than the 972,606 recorded in 2006; which was itself almost three times more than the 333,425 recorded in 2005. The figures, compiled by AV-Test.org, …
Wasn't it mentioned / predicted years ago that this would happen and the that the whole virus protection racket was a dead-end method?
Much better off locking the door than in the first instance than leaving it wide open and clubbing the burglars as they come in! Especially as there are an infinite number of burglars and a finite number of clubs.
> Locking the door
Great idea. How do we do it?
A Novel Solution, if a Bit Brutal
Install a large number of nodes across the internet that just silently detect and track malware, and trace it to it's source (e.g. eventually locate where the bot herder is logging into his bot server from, and so on). Then make use of all those ex-spies, assassins and mercenaries from the cold war, and more recent eras, who are out of work, to identify the culprits. Bing - badda - boom, another unexplained and grisly accident. So sad. No more malware.
Great idea. How do we do it?
- Well, it starts with managers, architects and developers thinking of security as a absolute requirement.. Rather than a nice-to-have that must never get in the way of project schedules or looking cool. With them being intellectually capable of rejecting a whole function, program, architecture, standard or even technology, no matter how leet, if It cannot be made secure.
- Basically, we have to make poor security something that is so expensive, either monetarily, or in terms of a social stigma, that the crap wonks who previously have not cared either go bust or get driven out of the industry (and that includes the OSS community, how about banning commits from anybody who fails to correctly parse arguments, or puts data into a buffer without checking it's bounds?)
Good security starts with a good attitude.
Re: "Heh" & "Locking the door"
I wasn't calling for it at all, but as you mention is, I think white listing is basically a good idea. I just wouldn't bother paying anyone for it! I use grey/white listing on my email server - it works very well indeed, but it doesn't cost me a penny.
As for how do we lock the door, well, it's a tired old argument but we could start by using more secure systems (it is left as an exercise to the reader which OS family is top of the list to throw in the skip).
Our more secure OS should have a decent firewall (rather than the Mickey Mouse efforts that get pushed as "default" in some OS')
While we're at it, we could use more secure emailing clients that don't allow random software to be installed on our machines (though our more secure OS with it's more secure demarcation of user responsibility and privilege would help a little here).
...and we could use more secure web browsers that don't execute all sorts of stuff they don't actually need to.
What about using word processor & spreadsheet apps that aren't so complex and full of junk that nobody actually uses 10% of them?! Simple software is easier to maintain and less likely to contain security holes. While we're at it, is it just me that finds it odd that a basic user application like a word processor can be a target for a "critical" security exploit? How did we ever get to the stage where such applications have or need any CONCEPT of a security exploit? It's just fundamentally wrong! Writing a letter should NOT imply a security risk! It's bonkers!!!
As an aside, I've been throwing some old computer stuff out recently and came across some old Windows 3.1 disks - all 3 of them! (or was it 4?). After decompressing, that can't represent more than about 10MB. I'm not suggesting W3.1 was secure (God, no!), but does a multi-GB MS Vista OS installation (for example) give me 1000 times more functionality than my old W3.1? It should do if the size of the code is anything to go by. But in reality, it doesn't. It's just full of junk that I don;t care about, don't use and just sits there waiting for a security hole to be exploited. And it runs SLOWER!
Shall I go on? No - I'll spare you... :-)
But problems will always exist.
Social engineering is at the top of the list. That door will ALWAYS be open somewhere. It always has been. The internet just scales the problem to a larger venue where even a small probability of a scan working (1/million) allows for big bucks to be "earned". We are all a greedy bunch, and I don't think human nature is going to change.
Sad, but true.
You can't fix the insecurity of the internet with application software
What is really needed is an internet programmed for security. The whole of the current internet architecture depends on the honesty and goodwill of all of its users.
This was somewhat valid back in the first days of ARPANET, when it connected a few dozen universities and defense contractors, but now it is an insurmountably FALSE assumption.
A secure internet for commerce and academia needs to enable the swift tracking of criminal traffic. This could be done. But replacing the current internet and its protocols won't be cheap or simple.
This said, if it was possible to make anything vandal proof, the makers of vehicles and buildings would have found it in the past 1,000,000 years.
There is just no way, using software and hardware, to prevent people installing well written trojans.
Plus, on large software or firmware projects, there is just no way to ensure that nobody on your staff ever has a bad day where they miss a mistake.
As with bank vaults and military tanks, thick walls are not enough. You need active force to prevent penetration of defenses. And for inhibiting malware creation and use, this means laws and law enforcement that work swiftly and accurately to put the real criminals behind bars for adequate periods of time to create a deterrent effect.
As it is, many criminals refuse to admit that breaking into other people's computers without permission is an immoral act that ought to have criminal responsibilities. People with low morals either see any legal act as a moral act, or they see any unpunished act as a moral act.
The alternative, white listing of software and firmware, would involve the OS maker (or someone else) issuing licenses for approved safe software. Issuing the licenses won't be free.
In the end, maybe in 10 years, we'll collectively see there is no alternative to overhauling the architecure of the internet to create security, and to using white-listing.
Until we collectively reach that decision, we are stuck with virus scanners, and improving law enforcement.
Panda Security - Send in the Clouds
I was at the Panda Security Seminar where they revealed that we where all basically shafted as there was no way we could counter the attack of the Trojans/Malware/Spyware/Viruses and we where all infected no matter what system of anti-virus/malware we where using -
So they where heading for the Internet Clouds.
With their anti-trojan banking widget the client would go to the specific banks home page and they would be more or less be forced to download a widget that would scan their PC and report to "The Panda Cloud" - If nasty trojans are found that target that specific bank - And this is the killer - "only that specific bank" -
the client would not be able to access the bank site site.
They then would I suppose push some Panda solution. It sounds like this is the future for Anti-Virus/Trojan systems -
I would imagine we will end up with each PC having a digital ID card which will be great for the
Home Security and Music/Movie Moguls but bad for the lovers of "The Wild Wild West Show"
Enough is enough
I think we desperately need to reduce the number and complexity of questions users get asked. Most average PC users get bombarded by so many messages that they just click "OK" without understanding them, often without even trying to. If you put up a fake Windows security warning saying "You are in danger of not receiving pop-up adverts. Click OK to install adware now" I reckon a sizable portion of the population would click "OK." Warnings need to be infrequent enough and clearly worded enough that they make people stop and take notice.
I changed my business over to Linux because I was sick of wasting time cleaning up spyware and adware infections on fully patched systems running up-to-date antivirus products from well known vendors. I was also sick of paying for these antivirus "solutions" when they failed to identify let alone solve 90% of the programs that were installing without our consent. Don't get me started on my feelings about Windows seeming to allow almost any piece of scumware to elevate a restricted user to an administrator and install itself in the first place.
I'm not trying to MS bash on this occasion but they desperately need to do something to stop these privilege escalations and to make most users run as limited unless they are actually doing something that requires admin ability. I wouldn't have changed platform or be advising most of my friends who ask what computer they should buy to get a Mac or try Linux if these had been fixed. And yes, I do make these recommendations for selfish reasons: I don't want to have to go round cleaning my friends computers every other week when they get broken. I want to have a good time with my friends and not be their private malware removal service.
MS are in an awful position here: They have a massive user base and there are countless applications on their platform. Many of these applications were written with the assumption that the user has administrator rights. As we've seen with Vista, taking these rights away from people causes a lot of pain. The question is do they have the will to bite the bullet and just do it?
IMHO Window's problem has always been that, in most cases, each version was built on a previous platform and was how it was because its ancestor was how it was. Vista started as such a great idea. A complete fresh start with none of the historical vulnerabilities. However then came the problem of application back compatibility and the fresh start got watered down again and again because this or that app wouldn't work unless this or that was how it used to be.
I would encourage MS to make a clean break, like Apple did with OS:X; A complete new-apps-only start designed for the modern world. Use this as an opportunity to release a "revolutionary new OS" that's light, lean, fast and low on bloat. I want a system that I don't need to pay extra for antivirus or antimalware programs to keep it working uninfected for more than 20 minutes; I want it to be designed secure and right.
I would then suggest providing a virtualised XP-in-a-window that could be used to run legacy apps. Make it work but don't make the performance stellar to encourage people to use apps for the new platform and for god's sake sandbox it so it can't screw with the base OS. Phase out developer support for XP to encourage software vendors to switch but do it over a reasonable time frame so developers have time to prepare stable, quality products.
MS, I know you want to be richer and more powerful by being the DRM gatekeepers of the world and I don't blame you for wanting that. I would find it a tempting prospect too but all this checking 15 times a second and tilt-bit crap to see if I'm a filthy thieving scumbag is weighing systems down like a set of cement overshoes. My friend's brand new Sony 2.2GHz 2GB RAM laptop running Vista shouldn't be slower than my 3 year old 1.5GHz single core (with a half speed FSB) 1GB running Ubuntu. Not only that but the insane amount of CPU usage on DRM and the 3D processing applied to a 2D desktop is increasing the power consumption of machines and consequently pumping more CO2 into the atmosphere. Please think of the planet every time you think of your bank balance. Your new OS can be a "revolutionary, high-performance, green OS" too and think of the savings your customers will be able to make on hardware and electricity costs. We all win.