Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

1/31/2007
11:00 AM
50%
50%

Sound the Alarm

But how do you do it in a way that's meaningful to computer users of different stripes?

Botnets, viruses, trojan horses and the myriad other forms of malware have been on my mind a lot lately. But the focus of my thinking has been from the perspective of the home user, rather than the enterprise. Why haven't we solved the problem for home users yet?

After all, think about what's been done so far:

  • There are a ton of free or inexpensive tools for taking care of viruses, spyware, and a variety of trojans/zombies
  • Many DSL/cable users have firewalls built into their modems and/or wireless network access points
  • TV, radio, and print news from most if not all of the major news outlets have covered the threat from malware, and generally have included information about the importance of anti-virus, personal firewall, anti-spyware software
  • New computers generally include some of this software in either evaluation or fully functional form
  • Employers are increasingly including employees' home computers in licensing agreements for this sort of enterprise software

Then why are we still seeing so many problems? The biggest issue seems to be, and in fact has always been, a lack of attention to the problem of presenting potential attacks to normal users in a way that they can make intelligent decisions about whether it is in fact malicious, or is instead useful. This is not merely a user interface problem.

This is, in truth, a really hard problem. It involves translating, in a general way, the innermost functions of the operating system and an unknown set of applications. I've been using the latest versions of several of the most popular personal firewalls for the last several days, just to see how things are progressing since the last version, which I used several years ago, only to uninstall it because it was nearly useless. (See Safety First: Five Firewalls for Your Desktop PC.)

The good news with the new version is that at least everything seems to be functioning properly after installation. And in fact, there have been almost no alerts, since I've got it in "Learning Mode," allowing it to essentially baseline my system's activity. That's really putting it in the realm of a host-based intrusion protection system, which is a good thing.

In a typical home network the very services that need to be exposed are the ones that are likely to be attacked. Your typical home user is simply not going to install a Web server just for the thrill of it, but is likely to share files. That file sharing service is then going to be the main vector for any network based attack.

Even restricting access to a limited range of addresses doesn't prevent any infection from spreading to the rest of the network. Combine this with something like the recent Word vulnerability, and you've got a real problem.

The bad news comes with the response to an attack. It will present a warning to the user saying something like "Process A was trying to comminicate with System Process by opening its process." Your average user is likely to say "OK, fine, whatever, let me get back to work." The only requirement for malware writers is to name the evil process something other than Evil Process. If Process A is named something like "Windows Automatic Update" then ZoneAlarm or any other similar program is going to be nearly useless.

So, in the absence of a trained IT professional, what can the user do? An extensive database of activities that are common and/or allowed, and some sort of friendly way to interact with it could certainly help. The critical component, to my mind, is that the developers of this sort of software think very carefully about their audience. That audience is not me. That audience is my parents.

So why should Dark Reading readers care about this in more than an abstract sense? Remember the example of the open services on the home network. Now imagine that instead of a home network you have a VPN to allow your sales team to work from home, using their own PCs. Scary, huh? Probably time to get some host-based intrusion prevention on your corporate desktops, and start worrying about how you can keep all those home users protected.

And remember that even if they could call you every time an alert pops up, they won't, and if they did, you wouldn't want it.

These problems mainly affect Internet users in the developed world. Next week I'll look at another malware distribution mechanism, namely pirated software, and how this problem is not only bigger than you think, but also how this creates headaches for those who only use licensed software. Stamping out malware is a much harder problem than just getting some decent host-based intrusion prevention systems, I'm afraid.

Nathan Spande has implemented security in medical systems during the dotcom boom and bust, and suffered through federal government security implementations. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27235
PUBLISHED: 2021-04-13
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the description parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-27236
PUBLISHED: 2021-04-13
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the compnomenclature parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-13566
PUBLISHED: 2021-04-13
SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability In admin/edit_group.php, when the POST parameter action is “Delete�, the POST ...
CVE-2020-13568
PUBLISHED: 2021-04-13
SQL injection vulnerability exists in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability in admin/edit_group.php, when the POST parameter action is “Submit�, the POST p...
CVE-2020-27227
PUBLISHED: 2021-04-13
An exploitable unatuhenticated command injection exists in the OpenClinic GA 5.173.3. Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameter to trigger this vulnerability, potentially allowing e...