Are you safe? (Think again)
10th June 2004
I have been thinking a lot lately about the situation with computer trojans, hacks, exploits and various viruses that are running around in the wild.
It amazes me that people take so few precautions with the computer systems that control their livelihood or their sensitive personal data. Even people that I have worked with who were outstanding in their own right (but not so literate when it came to computers) took no precautions with their own computer systems.
I just don’t understand it.
Microsoft is of course not blameless. In the effort to make computers more accessible to the masses they have spawned a world full of wizards, automatic configurations and openness that only fosters exploitation.
I have said for years that Microsoft should ship their operating systems in a hardened state. The user should then have to RTFM or hire someone knowledgeable in the field if they wish to open up their system more (I.E. run a web server, mail server, or other software on their PC or connect directly to the Internet without the firewall turned on). Finally with Windows XP Service Pack 2 will they turn on the built in firewall by default. It only took them 10 years to accomplish this.
Most people who have lost personal information or had their computer taken over by a virus or trojan horse spam mailer will tell you that they would much rather have to deal with a locked down system than lose their data.
I just can’t understand why it took this long for the “lock down” idea to sink in. What’s the point of using a computer if at some random time in the future you stand the chance of losing your data?
Oh, I know, most are thinking “wow, this has never happened to me and probably never will”.
Trust me – I have come across literally dozens of people who have lost their data or had to rebuild their operating system from scratch because they were not properly protected from threats.
I recently read a paper (with specific examples and statistics) that reported on how long it takes a stock Windows XP installation (without SP1 and ALL hotfixes) to become infected with Sasser (or other trojan/virus) when directly connected to the Internet.
Guess what. It took no more than 20 MINUTES. That’s right – anywhere from 6 seconds to 20 minutes. This means that if you don’t turn on the Internet Connection Firewall or have your machine set-up behind a cable modem/dsl router you are TOAST. You can’t possibly get the machine patched with all of the necessary hotfixes before it becomes infected.
Another thing. Most people know better than to open e-mail attachments from people they don’t know. Unfortunately most of the new (and effective) viruses will come from someone you DO know. Once your friends get infected the virus sends mail to everyone in their address book. So what does that mean? It means that before you open an attachment you must verify that the sender intended to send you this attachment. If you don’t and open the attachment containing a virus then you are SOL.
Let me go into another thing that really drives me nuts (oh great, another).
SPAM.
You’ve got to ask yourself why spam is so prevalent. How did spammers gain the ability to send so many billions of messages to unsuspecting e-mail recipients every day? Isn’t it possible to simply block all of those nasty spam sending e-mail servers out there?
One answer: the SPAM trojan horse program.
There are literally millions of PC’s connected to the Internet that are not properly protected against attack. All it took was a few well engineered trojan horse programs and guess what. You have those millions of unprotected PC’s now sending billions of SPAM e-mails every day.
How does this happen?
Simple.
You place your PC on the Internet in an unprotected state (defined by not having the built-in firewall turned on or not having a cable/dsl router in front of your PC). You haven’t quite kept up with all of the patches that Microsoft has issued. It takes a mere 10 minutes (no exaggeration here guys) for your PC to be exploited. A program is installed on your PC without your knowledge. Now your PC is ready to participate in the sending of unsolicited e-mails.
There are dozens of IRC chat rooms from which spammers can control these networks of robot (called zombies in techno speak) computers. The spammer issues a command in a chat (IRC) channel and then the zombies run off and spam you and me.
These networks of zombies (called botnets in techno speak) are even sold and traded on a daily basis.
This is how 80% of all SPAM is originated. Trust me folks. It’s a fact.
Now do you see why I rant and rave about protecting yourself? I don’t want you sending me any more SPAM!
So what is this diatribe leading up to?
It leads to my next thought:
Systems Engineers and Software Developers should be required to pass stringent certification and educational pre-requisites.
Certified IT professionals should also be paid at least as much as doctors/lawyers.
That’s right, I said it. I firmly believe that certified and degreed systems engineers and developers should command that kind of compensation. Along with the compensation comes responsibility for the reliability and security of their implementations. Despite what most people think, there is a code of ethics for lawyers
and doctors. It should be no different for certified IT professionals.
Note that I said certified AND degreed. This means that the average Joe high school graduate that knows how to assemble a PC isn’t eligible. In fact, most of the people I graduated with at SMU would be out of luck. I mean to say that there should be an extremely strict certification (I.E. BAR exam anyone?) that information technology professionals should have to pass to become certified as experts in their field.
Don’t even bring up MCSE, MCDBA, MCSD or any of the Microsoft certifications. They are a complete joke. Any certification that can be passed after taking a 1 week bootcamp is not worth the paper it’s printed on. The only certification that is close to what I am talking about is Cisco CCIE (no, not CCNA).
These certified individuals should be required to attend continuing education to retain their certifications.
They should have to re-test if they fail to do so.
Strict certification along with software that is by default “locked down” will save everyone a ton of grief when it comes to computer problems.
I bet you are thinking “I guess Manly would be one of the certified ones – this just benefits him”. Not necessarily. I haven’t passed this test because there isn’t one. If there were I would surely make an effort to become certified (and I am confident that I could pass it – but with a lot of study). The point is that as we rely on information technology more and more we should know without a doubt that the systems are secure and reliable. We have neither at this point in time.
Can you imagine a time when you are completely reliant on your home PC for everything from lighting/security/HVAC control to banking and investments? Ahh, who cares if someone has the ability to take control of your PC or log your keystrokes. What could that hurt? (SARCASM).
I am sure that none of this will come to pass but with all of the talk of terrorism and post 9/11 security you would think that this would be more important. After all, the best way to hurt 260 million Americans is to take away their confidence in their security and make them worry about the stability of the future. How secure would you feel if you knew that the system that houses all of your confidential information is easily compromised? What if you knew that your bank wasn’t taking the appropriate precautions with your information? How about that web site that you entered your credit card info into?
All of this would require some form of licensing. Lawyers and Doctors command high compensation (and generally high levels of trust) because they are protected by their licensing system. Sure, you can practice your own medicine or enter the court room as “pro se” but everyone knows that it’s not a good idea. It is also frowned upon by judges and hospitals (actually, all hospitals prohibit unlicensed physicians from practicing medicine on their premises).
Of course you can’t force businesses to use only licensed IT professionals. On the other hand, as soon as Fortune 500 companies start to require licensing other businesses will soon follow. Large organizations generally set the standard for all others.
This is surely an extreme version of a possible future (or impossible as it may be). There are definately less extreme (and less effective) variations on this theme. Each scenario would present it’s own mix of benefits and assocaited problems.
Let me know what you think.
On another note: How cool is it that Spaceship One achieved spaceflight (they made it to 62 miles). Isn’t it ironic that they achieved this for 20 million dollars? Don’t most of NASA’s programs run into the billions?
Hmm… there may be a lesson here folks. As if we didn’t know that the U.S. government is inefficient (and mostly inept).
Here’s a link to the report on the spaceflight:
http://www.space.com/missionlaunches/SS1_touchdown_040621.html
Manly
P.S. Wouldn’t you know it. Not long after I post this blog there is an article on MSNBC about personal comptuers that are infected with SPAM trojans. The gist of the article is that Comcast is considering cutting off Internet access to those PC’s that are sending tons of spam each day (without the owner’s knowledge).
See this link:
Update (6/25/04):
Another article on CNN describes a new Internet attack on web servers that causes them to serve up pages that contain code that will exploit a security hole in your browser and then install a SPAM trojan on your machine. All the user needs to do is go to a web site hosted on a compromised server and they will be infected by the spam trojan. Sigh.
I would run windows update today before I ran around browsing all over the net if I were you. Those that are running all of the latest hotfixes appear to be ok as it exploits MS04-013 (MHTML).
Update (6/25/04):
You are not completely protected even if you have the latest patches for Internet Explorer.
This exploit uses two unpatched holes in IE.
See the following article for more info.
Posted in Web/Tech | No Comments »