Sound the Alarm

But how do you do it in a way that's meaningful to computer users of different stripes?

Botnets, viruses, trojan horses and the myriad other forms of malware have been on my mind a lot lately. But the focus of my thinking has been from the perspective of the home user, rather than the enterprise. Why haven't we solved the problem for home users yet?

After all, think about what's been done so far:

  • There are a ton of free or inexpensive tools for taking care of viruses, spyware, and a variety of trojans/zombies
  • Many DSL/cable users have firewalls built into their modems and/or wireless network access points
  • TV, radio, and print news from most if not all of the major news outlets have covered the threat from malware, and generally have included information about the importance of anti-virus, personal firewall, anti-spyware software
  • New computers generally include some of this software in either evaluation or fully functional form
  • Employers are increasingly including employees' home computers in licensing agreements for this sort of enterprise software

Then why are we still seeing so many problems? The biggest issue seems to be, and in fact has always been, a lack of attention to the problem of presenting potential attacks to normal users in a way that they can make intelligent decisions about whether it is in fact malicious, or is instead useful. This is not merely a user interface problem.

This is, in truth, a really hard problem. It involves translating, in a general way, the innermost functions of the operating system and an unknown set of applications. I've been using the latest versions of several of the most popular personal firewalls for the last several days, just to see how things are progressing since the last version, which I used several years ago, only to uninstall it because it was nearly useless. (See Safety First: Five Firewalls for Your Desktop PC.)

The good news with the new version is that at least everything seems to be functioning properly after installation. And in fact, there have been almost no alerts, since I've got it in "Learning Mode," allowing it to essentially baseline my system's activity. That's really putting it in the realm of a host-based intrusion protection system, which is a good thing.

In a typical home network the very services that need to be exposed are the ones that are likely to be attacked. Your typical home user is simply not going to install a Web server just for the thrill of it, but is likely to share files. That file sharing service is then going to be the main vector for any network based attack.

Even restricting access to a limited range of addresses doesn't prevent any infection from spreading to the rest of the network. Combine this with something like the recent Word vulnerability, and you've got a real problem.

The bad news comes with the response to an attack. It will present a warning to the user saying something like "Process A was trying to comminicate with System Process by opening its process." Your average user is likely to say "OK, fine, whatever, let me get back to work." The only requirement for malware writers is to name the evil process something other than Evil Process. If Process A is named something like "Windows Automatic Update" then ZoneAlarm or any other similar program is going to be nearly useless.

So, in the absence of a trained IT professional, what can the user do? An extensive database of activities that are common and/or allowed, and some sort of friendly way to interact with it could certainly help. The critical component, to my mind, is that the developers of this sort of software think very carefully about their audience. That audience is not me. That audience is my parents.

So why should Dark Reading readers care about this in more than an abstract sense? Remember the example of the open services on the home network. Now imagine that instead of a home network you have a VPN to allow your sales team to work from home, using their own PCs. Scary, huh? Probably time to get some host-based intrusion prevention on your corporate desktops, and start worrying about how you can keep all those home users protected.

And remember that even if they could call you every time an alert pops up, they won't, and if they did, you wouldn't want it.

These problems mainly affect Internet users in the developed world. Next week I'll look at another malware distribution mechanism, namely pirated software, and how this problem is not only bigger than you think, but also how this creates headaches for those who only use licensed software. Stamping out malware is a much harder problem than just getting some decent host-based intrusion prevention systems, I'm afraid.

Nathan Spande has implemented security in medical systems during the dotcom boom and bust, and suffered through federal government security implementations. Special to Dark Reading