2007/04/20

The End of the Internet, or the Microsoft Users Net-Meltdown?

The 2005 Australian Computer Crime and Security Survey(PDF) reports that at the end of 2004 "the hackers turned pro". The ACCSS index may be easier for downloads.

For 2-3 years now, most malware has satisfied the definition of Organised Crime - it's theft, it's purposeful, it's co-ordinated.

In an August 2006 post, I reported the ACCSS comments and new comments from SANS .

ZDNet now report that Rootkits becoming increasingly complex and operate by stealth. They say:

Rootkits -- malicious software that operates in a stealth fashion by hiding its files, processes and registry keys--have grown over the past five years from 27 components to 2,400, according to McAfee's Rootkits Part 2: A Technical Primer (PDF).
If you use a Microsoft system and connect to the Internet without extensive protection, you should be afraid, very afraid. And even large organisations who do everything right, are still open to targetted "zero day" attacks. The first Windows Vista security problems are being reported. It's better than their previous efforts, but still contains significant security flaws. The Whitehouse mandated a minimum security configuration for all US Federal Government Vista destops.


For more on the various types of computer crime Wikipedia is a good resource.

The Internet Meltdown

So when will the Internet Meltdown occur for ordinary home users of Microsoft system? Perhaps it already has... Already 50% or more of Internet e-mail is spam. A large chunk of other traffic has to be attempts to break into systems, and sometimes Distributed Denial-of-Service attacks (DDoS).

Banks already advise PC owners to use a personal firewall, virus and spyware scanners and perform regular checks and software updates.

But the number one and two malware vectors, Internet Explorer (IE) and Outlook, aren't mentioned. Worse, most sites are optimised for, or will only work with, IE.

Banks are already moving to "two-factor authentication" - usually a device (a 'token') that provides "one-time passwords" on a little LCD. But that isn't entirely secure - there have already been "session hijacking" attacks. For more see the 2006 The Crimeware Landscape (PDF) from the US Dept. of Homeland Security, SRI International and the Anti-Phishing Working Group.

How can a home user tell if their machine is compromised and part of the spam and hacker tool of choice, a botnet? They mostly can't without expert help and specialist tools. They might experience the normal random problem of "The Internet is running slow today".

Savvy hackers and botnet owners operate just like the best "special forces" and "secret agents" - by stealth. They want to own your computer and internet link and not have you know anything is wrong.

For 5 years or so I've thought the Internet would end for naive home users in an obvious "Meltdown": Within minutes of connecting a new system to the Internet, it would be compromised and then brought down.

What competent cyber-criminal would do that? They want to "own" and use your computer and internet resources for their own ends - and they can't do that if your system isn't running. So I've been wrong. The "Meltdown" won't occur like that in a criminalised world.

What will happen is:
Go on-line and have your credit-card and banking access data stolen.
That will seriously impact e-Commerce and banks will have to shell out Billions in internet-based banking theft and fraud.

Here's the thing

The Microsoft security problems are entirely preventable and avoidable.
It's all about Good Design, Good Development Processes and Software Quality.
Testing only reveals the presence of bugs, not their absence. A rigourous testing regime, whilst necessary, will only take you so far. Achieving Good Security is purposeful, directed activity - it requires good, careful design not compromised by insisent business or marketing demands for "more features" and "fancier interfaces".

Proof:

Look at all the widely deployed non-Microsoft systems on the Internet. Many are extremely high-value targets and the technology they use is usually much older than Windows NT. Remember than Microsoft IIS is out gunned 2:1 by the free Apache server on the public Internet (Netcraft survey)

These non-Microsoft systems don't suffer the same rampant security problems and breaches/compromises. And it's not because they are ignored by the attackers - they would if they could get into these high-value targets. The botnets are constantly probing every public IP address for weaknesses.

And those same, now old, system grew up with the Internet, in the most hostile of environments - Universities. All those bright, bored computing undergraduates looking for accolades/kudos by beating the system.

That's the nub of the Internet Security problem, and it's solution...

No comments: