PC Magazine Article on Internet Security Highlights RESCUECOM

02.01.06
By Cade Metz, PC Magazine:

The Sorry State of Security

Time to face facts: when it comes to our online safety woes, everybody is to blame.

One recent sunday afternoon, a woman phoned Ed Finn from her apartment in northern Virginia, complaining that pornographic icons were popping up across her computer screen. As the owner of a Washington, D.C.- area Rescuecom franchise, Finn spends his days servicing home PCs, and this woman needed his help urgently. The Click-Here-For-Sexy-Bod icons were soon joined by Internet gambling links and countless browser pop-ups, each less wholesome than the last, popping up faster than she could close them.

When Finn arrived, he discovered more than 80 pieces of malicious code on the woman's PC, and it wasn't hard to see why. She hadn't installed a firewall or an antispyware program; although her PC came with antivirus software, she hadn't bothered to activate it, assuming she was protected since it was included. Her machine was about as well protected as General Custer at Little Bighorn, completely exposed to every virus, worm, Trojan horse, and foul strand of spyware lurking on the Internet.

The nasties were entrenched to the point where Finn had no choice but to back up the woman's data and reformat her hard drive. He was almost finished when her roommate came running down the stairs in a panic. Pornographic icons were popping up across his computer screen, too.

Cast an eye over the current state of Internet security, and there's a certain sense of déjà vu. We're living the same bad dream over and over.

No matter how many times we suffer the consequences of online attacks-system slowdowns, instability, loss of connectivity, even costly identity theft-we always get burned again. Expert advice, warnings, and even new security programs ultimately do no good. After more than ten years of this recurring nightmare, we've come to the conclusion that there's only one possible explanation: Stupidity.

Whose stupidity? Yours, for a start. That's right: You. Joe Computer User. A decade of working and playing on the Internet and you still surf without proper protection. You know what? When Ed Finn went upstairs to check on the roommate's machine, he found that it too lacked protection. "Most of the machines I see either don't have security software installed or use versions that are way out of date," says Finn, who sees over a thousand home machines each year.

But the end user is only part of the problem. Though many have worked to improve the situation, the world's hardware and software vendors bear just as much of the blame. After all, users wouldn't have to worry about security software if PC manufacturers and ISPs made it an integral part of every machine. And malware wouldn't be nearly as prevalent-or as destructive-if developers weren't so cavalier about the gaping security holes weakening their operating systems and applications. Even security vendors are stupid when it comes to security. One of the latest hacker and virus trends is attacking antivirus software, which is often no more secure than any other desktop app. And it doesn't help that the media whip the latest threats into frenzied stories, getting users good and panicked but generally not providing substantive solutions. We're all stupid. And it's time we smartened up.

You're Stupid

Every month, security tools provider Sophos compiles a list of the Net's ten most successful viruses. In December 2004, a particularly nasty worm known as Zafi-D topped the list, accounting for nearly 40 percent of all virus attacks worldwide. Within hours of the first sighting, all the major antivirus vendors released signatures capable of identifying and stopping the worm. But nearly a year later, when Sophos unveiled its November 2005 list, Zafi-D was still in the top ten.

"That tells you people either don't have antivirus software installed or they're not keeping it updated," says Gregg Mastoras, a senior security analyst at Sophos. "At the very least, they're not loading new signatures for months at a time." Indeed, a recent study by America Online and the National Cyber Security Alliance (www.staysafeonline.info) showed that more than half of all Internet users leave their machines exposed to the latest viruses, either by not updating their AV or not having any AV at all.

Nowadays, all the major PC manufacturers include at least one antivirus application on every new machine that goes out the door. And when you sign up for Internet service, most ISPs offer still more antivirus software, often free. Yet you-the end user-still manage to go online without protection from viruses like Zafi-D.

You say you do run AV and do keep it updated? Chances are you're still doing something dumb. Antivirus programs are hardly the be-all, end-all of Internet security. Not all AV tools protect against spyware, a slightly different breed of malicious code that surreptitiously tracks your behavior and pilfers your important data. Software patches, antispyware, and software and hardware firewalls are key as well, as is encrypting traffic on your local wireless network, which sees every packet sent between you and the Internet.

"Many companies, most notably Symantec, have done a great deal to inform the average consumer that they need an antivirus product," says Alex Walker, author of The Absolute Beginner's Guide to Security, Spam, Spyware and Viruses. "But this has created a false sense of security. The average consumer assumes that antivirus gives them all the protection they need."

According to the America Online survey, about 80 percent of you are exposed to common Internet threats- not just viruses, but spyware, drive-by downloads, hackers, and more. If you're not protected, your chances of avoiding infection are slim to none. "If you attach a PC to the Internet and leave it there unprotected, there's a 90 percent chance it will be infected within the hour," says Sophos's Mastoras, who spends his days tracking the latest threats.

The saddest part is that, even if you're among the 20 percent of users with all the proper security precautions in place, many of you will foul things up anyway. All the security software in the world won't do a bit of good if you fall for one of those heavy-handed phishing e-mails that purport to come from your bank or Web sites such as eBay or PayPal but are really efforts to pilfer your credit card information. Or if you download files that offer benefits too good to be true. Or especially if you decide to troll the Web in search of free porn. Particularly if you let your children, unmonitored and uneducated, onto your PC. They'll make all those mistakes and more.

The truth is, most of you bring attacks on yourselves. If you don't stay away from the seedier side of the Web, well, you're being stupid.

Tech Vendors? Just as Stupid

Don't take it personally. You're not the only one who's stupid. In fact, many experts believe that the real problem lies with the companies selling PCs, software, and Internet access. "Many security problems can be traced back to uninformed end users, but you can't put the blame on the end user," says Dr. Clifford Newman, director of the Center for Computer System Security at the University of Southern California. "What we need to do is develop systems that better protect end users. You can't expect the average consumer to behave like a security administrator."

The PC industry has certainly taken a few steps forward in recent years, but many serious issues still need correcting. For a start, PC manufacturers and ISPs can't just bundle AV software and wash their hands of the matter. They're the ones selling you the product, and it's their responsibility to make sure the product is well protected. Full security protection-antivirus, antispyware, firewall, ongoing OS updates-should always be part of the initial purchase and should always load automatically. Knowing how stupid end users can be, vendors are doubly stupid to expect that they'll always purchase, install, and activate all that software on their own.

Security Software: Inexcusably Stupid

At the same time, security vendors need to realize their products are woefully deficient. They put a palpable strain on the average PC, often slowing performance to a crawl. They're far too difficult to use. And some don't even provide proper security.

Antispyware tools are the least mature of the lot. They should stop all "in-the-wild" spyware that they encounter-anything less is unacceptable-but, at PC Magazine Labs, we've yet to find one that does. Unlike on the AV side, there's no independent certification program that works to ensure antispyware apps are up to snuff. And they require far too much user intervention. With some, the onus is actually on the user to start a system scan or update signatures.

That's nothing compared to the hassle of using a firewall. Today's firewalls present too many pop-up warnings that require users to make choices about apps and processes trying to perform various functions. At the very least, these are annoying. And for most people, they're flat-out confusing.

There's no excuse for any firewall not to contain signatures for the tens of thousands of known software applications. That would let the firewalls intelligently ignore their permissible behaviors without popping up those annoying and confusing warnings.

When they detect unknown network traffic and there's no obvious right or wrong, firewalls should give the user crystal-clear instructions about how to proceed. Some firewalls, including Norton Personal Firewall and ZoneAlarm, do use large signature databases, but these still aren't adequate, and this isn't the norm.

With the release of Windows XP, Microsoft finally added a firewall to Windows, and thanks to improvements made with Service Pack 2, it's unobtrusive and easy to use. But it provides only a portion of the protection you'd get from standalone firewalls, which carefully monitor every packet flowing both to and from your PC.

Even antivirus tools need improving. Yes, once the AV vendors provide a signature, they're good at stopping the latest threat, but it often takes too long for a new signature to reach your machine, and AV tools still aren't very good at stopping unknown threats. As we mentioned in our recent feature "The Zero-Day Attack" http://go.pcmag.com/zerodayattack ), many attacks are hitting machines before the proper signatures are in place. According to AV-Test ( www.av-test.org ), a computer security research group at Germany's Otto-von-Guericke-University Magdeburg, some vendors take days to get signatures out. Thousands of supposedly protected machines can be infected in hours.

Some vendors have started to integrate heuristic tools capable of identifying unknown viruses, but, again, they're hardly as widespread-or as effective-as they need to be. Even if AV products aren't as stupid as antispyware products, they're not as smart as the people attacking your machines are.

According to IronPort, a company that filters e-mail and Web traffic for eight of the world's top ten ISPs, most of today's attacks are about money. "It's all becoming much more organized than it was before," says Ambika Gadre, IronPort's senior director for product management, "and profit is the primary motive." Attackers have far more incentive than in the past.

Security software should not only offer a completely intuitive interface and protect users from unknown threats, however. It's also got to protect users from themselves.

It's much too easy for users to disable their own protection accidentally or fall for the sort of online confidence trick that's become all too prevalent. Microsoft's new browser, Internet Explorer 7, will go a long way toward curbing our e-mail phishing problem, as it compares embedded URLs against an online database of known phishing sites and looks for common characteristics that typically show up in these nefarious pages. (Similar tools are available for browsers today, but they haven't been widely adopted.) Now we need added protection on IM clients like AOL's AIM, Yahoo! Messenger, and Microsoft's MSN Messenger, which carry many of the latest threats. Just as with fraudulent e-mails, people need to know if an instant message didn't originate with the person it claims to be coming from.

You could even argue that the industry should sidestep the user entirely, by setting up security protection on each PC and preventing anyone from tampering with it. Users invite malicious attacks even when they're actually trying to improve security. They click on pop-ups that read "Download Spyware Remover." Respond to e-mails that offer improved protection for their PayPal accounts. Automatically click on "Allow" whenever their firewalls pop up asking whether an executable file really needs access. In the end, trying to teach end users better security practices may be futile. The industry may be better off handling the problem on its own.

Software Developers: the Stupidest of Them All

Of course, many PC users are loath to relinquish control of their computers. And you could argue that such draconian measures are less than ethical. "Ultimately, users own their own machines and they should be able to do what they what they want to do," says USC's Newman. But there's little debate when it comes to the countless vulnerabilities that continue to pop up in the most popular applications and operating systems. It's time developers changed the way they write software code.

After the virus debacle of 2003 when the Blaster and Sasser attacks wreaked havoc on Windows PCs, Microsoft significantly improved its efforts to weed out security holes in its operating system and other desktop applications. "Microsoft engineers have really taken it to heart that security is important," says Brian Chess, chief scientist at Fortify, a firm that removes vulnerabilities and mitigates risk in computer software. "In terms of knowledge and uniformity of interest, they're way ahead of the game." But Windows is still littered with security holes-witness the flaw in the Windows Metafile Format that came to light in December -and as Microsoft improves its security, hackers are beginning to focus their attentions on all sorts of other software.

You can't make this up: Antivirus applications are some of the most vulnerable software on today's PCs. Not only are hackers intent on attacking the companies trying to bring them down, antivirus tools have just as many security holes as any other application. "Guys who write security software aren't thinking about their own security," explains Chess. "They're thinking about protecting other parts of a computer." If security companies aren't focused on writing secure code, we're all in trouble.

According to the SANS Institute, an independent watchdog organization, multiple buffer overflow vulnerabilities have been found in AV apps from most popular vendors, including Symantec, F-Secure, Trend Micro, McAfee, Computer Associates, ClamAV, and Sophos. These could give attackers complete control of a system with little or no user intervention.

Your stupid behavior can be forgiven. Maybe. Up to a point. But this is a different matter, and Chess even argues that the problem of insecure code is much deeper than we think. It's not just that developers don't know how to write secure code. It's not just that they don't care about writing secure code. They're actually taught to write insecure code.

Chess likes to play a game. He walks into a bookstore, grabs a programming book off the shelf, and thumbs through pages until he finds a piece of sample code, a program meant to educate the world's programmers. Inevitably, the code contains a major security flaw-usually more than one. In December, he opened Foundations of Ajax by Ryan Asleson and Nathaniel T. Schutta, a book that teaches the Web's language of the moment. The first sample was only 1,100 lines long-yet it contained 40 security vulnerabilities. One particularly egregious problem: "cross-site scripting," an easily exploitable way of delivering executable code to a browser. Hackers use this technique to deliver their own code that pilfers end-user data. It's one of the most obvious of online vulnerabilities, yet there it was.

We're Stupid Too

Sound as if we've climbed atop our high horse and are just spewing criticism on everyone else? Well, truth be told, we're not exactly free from blame. The media are just as stupid as everyone else. Fearful of missing "the big one," the media talk about even the smallest online threat as if it's the coming of the apocalypse, and build up the latest security software as a sure way to stop it. Perhaps we've failed to show how very flawed security software can be. Perhaps we've failed to explain that you're a big part of the problem, that running a security suite is only half a solution, that you have to change your behavior as well.

We admit it: We're stupid too. And we're trying to make amends. We urge you to open your eyes to the threat of online malware, and we implore the industry to provide far more protection than it does today. Yes, the industry talks a good game, and several improvements are already on the way, including many integrated with Microsoft's upcoming operating system, Windows Vista. But much more needs to be done. Perhaps in the coming months, all of us will come to our senses. We sure hope so. Otherwise, it'll be d? vu all over again.

Case Study: Even Cool Music Companies are Stupid

ARTICLE DATE: 02.01.06

By Cade Metz

As if we didn't have enough security problems to deal with. This fall, developer Mark Russinovich discovered that Sony BMG, one of the world's largest record labels, was distributing music CDs that actually introduced a security hole when inserted into a Microsoft Windows PC. Yes, they created an opening that wasn't there before.

When inserted into a PC-that's right: just popped in the drive, not played and not ripped-these CDs install digital rights management software designed to prevent listeners from redistributing copyrighted songs. This happens automatically, even if you decline the end-user license agreement. Then, in an apparent attempt to hide the software and prevent its removal, they also load something called a rootkit. The trouble is that rootkits are also commonly used by hackers to infiltrate PCs and run malicious code on the sly.

"It's a pretty ridiculous situation," says Brian Chess, chief scientist at Fortify, a firm dedicated to finding and removing software vulnerabilities. "Part of the blame falls on Windows, because it enables this sort of thing, but Sony clearly misunderstood what it was doing." (Rootkits were not invented specifically for Windows. For years, they targeted Unix systems.)

When the press got hold of the story, the extent of the problem was somewhat exaggerated. Russinovich points out that Sony's rootkit doesn't exactly provide hackers with an on-ramp to your PC. "Sony's rootkit is only exploitable if the user can be lured into downloading something or tricked into installing some sort of malware that would take advantage of it," he explains. "If someone can get software to execute on your machine in the first place, they might as well install their own rootkit."

By the end of November, however, someone had indeed written a virus that exploited Sony's gaffe. A variant of a known Trojan horse called Breplibot was dropping in behind the rootkit so it couldn't be seen or removed without specialized tools.

The Trojan arrives in an e-mail attachment piggybacked on a message purporting to come from a British magazine called "Total Business Monthly." If nothing else, Sony had created an obvious target. And we all know that virus writers have a penchant for sticking it to corporate giants like Sony-not to mention that computer users can be tricked into downloading just about anything.

Sony didn't write the DRM package itself. It hired a U.K. developer called First 4 Internet to do that-Sony itself may not have even known about the rootkit. At the very least, it didn't realize the trouble it would cause. Security is often the last thing on people's minds, even those who should know better. That's got to change if we really want to stamp out malware. All of us are going to have to switch gears and put security first-even music companies.

Case Study: Just How Stupid Are You? Geek Squad War Stories

ARTICLE DATE: 02.01.06

By Cade Metz

Since its inception in 1994, Best Buy's "24 Hour Computer Support Task Force" has serviced over 5 million home PCs across over 700 locations nationwide. We figured that the squad's crack team of "double agents" could tell us whether users today practice safe surfing techniques or still blunder about unprotected and unaware of the dangers.

We talked to three agents in three locations. All said that at least half the problems they're called in to solve are caused by viruses, spyware, or some other form of malicious code. Even worse, they've found that most computer users don't even do the basics. "About 90 percent of the time, people don't update their virus signatures at all," says Kristin Demoranville, an agent based in Maryland. "They just don't understand how important it is." Antispyware and firewalls? Forget about it. "They don't even know the word spyware. They don't get that you need both antispyware and antivirus."

Ismael Matos, a New Jersey agent, recently serviced a machine infected by 20,000 pieces of malware, according to the antispyware apps he used, which included Trend Micro's PC-cillin, Webroot's Spy Sweeper, and Lavasoft's Ad-Aware. You read right: 20,000. Granted, that includes tracking cookies, which we wouldn't count, but, "It was quite an interesting removal process," Matos says. It took him 20 minutes just to boot the machine, and he needed another 5 hours to clean it up. The machine was tied in so many knots that he couldn't even run an antivirus app. He had to remove each virus manually.

Matthew Dworkin's record holder was a machine whose Registry was so infested that it had swelled to over 300 megabytes. The norm is about 50MB, and it took Dworkin about 25 minutes to back it up before even starting to quarantine viruses.

Joe Computer User is also falling for the countless phishing scams that flood into our inboxes, according to Dworkin. The New York-based agent recently helped a man who lost over $3,000 when an e-mail fooled him into entering personal info into a site that looked a lot like PayPal's. "I love the irony," says Dworkin. "He goes to the site thinking he's improving the security on his PayPal account, and they end up taking his money."

And, yes, viruses wreak just as much havoc via IM clients as they do over e-mail. Kristin Demoranville just helped a family whose network was brought down when their 15-year-old clicked on an embedded URL inside an IM message he thought was from a friend. The result: a spyware infestation that disabled the networked machines' Internet settings. Recognize yourself, your kids, your friends, your neighbors in these stories? You are not alone.

Copyright (c) 2006 Ziff Davis Media Inc. All Rights Reserved.