|Home » Rants
They know they've failed but they're still too thick to know what works.
SAN FRANCISCO (Radsoft) — Things were rather austere at the RSA conference. Bad times generally are good times for the AV cottage industry, but not when their products are deemed to be of no use. Aurora and Mariposa basically made that clear once and for all.
So the AV people pitched their (ahem) 'next generation' products but everybody was distracted by the simple but undeniable truth that their current products are less than useless.
'Both Mariposa and the Google attacks illustrate the same thing', says Robert McMillan. 'Despite billions of dollars in security spending, it's still surprisingly hard to keep corporate networks safe.'
The key is in the Windows security model - or rather the lack of it. McMillan explains.
'For these advanced attacks to work, the bad guys need find only one vulnerability in order to sneak their malicious software onto the target network. Once they get a foothold, they can break into other computers, steal data, and then move it offshore. The good guys have to be perfect - or at least very quick about spotting intrusions - to keep advanced persistent threat (APT) attacks at bay.'
Windows has no inner defences - something that's been pointed out at this site ad nauseam et ad infinitum. Windows has no failsafe. This means that the periphery - one's web applications, one's browser, HTML rendering engine, mail client, et al, et al, et al - must be absolutely perfect.
There's never been a battle won with such terrible odds.
Try to imagine yourself the allied commander in chief at the end of World War II. Your soldiers advance through Europe and your sailors and marines advance through the Pacific. Yet if a single enemy soldier can jump into one of your foxholes, if one single enemy sailor can board one of your vessels, the game is over and you lose.
'Basically othing people have bought over the last 16 years is going to help them stop a single guy sitting at a computer who's a Windows shellcode person, targeting one person and spending months to break into that computer.'
- Alex Stamos, iSEC Partners
Traditional security products are simply not much help against APT attacks, says Alex Stamos of iSEC Partners. 'All the victims we've worked with had perfectly installed antivirus - they all had intrusion detection systems and several had web proxies scan content.'
And that's a big deal because the game's over as soon as you go to ground on Windows. It's not like that on other systems. Only Windows. Because Windows has no inner defences.
The 'bad guys' subscribe to the same AV products as everyone else. Of course they do. They test their own malware until they figure out how to get through undetected. They update their own malware as soon as AV companies update theirs.
'Anybody can download and try every single antivirus engine against their malware before they ship it', says Stamos.
'Enterprises are very dissatisfied with the level of protection they're getting from their end point antimalware suites', says 451 Group analyst Paul Roberts. The supposed 'security experts' are forced to admit that the old patch/AV/IDS system can't protect networks running Windows.
'The security industry's going to have to think about selling solutions that actually work with this type of environment', says Stamos. 'Basically nothing that people have bought over the last 16 years is going to help them stop a single guy sitting at a computer who is a Windows shellcode person, targeting one person and spending months to break into that computer.'
Nope. But changing your operating system would remove the threat immediately and forever.
That's the difference.
The House that Bill Built
Windows has no inner defences. Windows is a submarine with no bulkheads. Spring a leak in a single chamber and the boat goes to the bottom of the sea. Windows is an international federation. Pass through a border control - or to cite an innocent example: pass through US customs - and you can basically do anything you want. You can travel around, pick up some flying lessons in one place, hide out in another place, and then take your time to figure out how you're going to hijack commercial airplanes in New York City.
You can't add security after the fact. You can't rebuild a standalone system to make it secure. It just doesn't work. Period.
All the while Bill Gates travels around the world tossing around cash from his foundation, his operating system sits there with no foundation at all.
Most people don't understand this because most people don't understand computers, much less security systems. Windows is the only system they've ever seen. They're accustomed to the crashes and hangs and exploits. They assume things have always been this way and will always be this way. But they've never been this way anywhere but on Windows.
The house that Bill built never stood sturdy - and now it's crumbling, falling apart.
The Evil Profession?
The current recession has opened people's eyes to what banking institutions are capable of. Banks are said to only offer to lend you money if you don't need it and to never lend you money when you do need it.
The same applies to their approach to computer fraud. Visit Brian Krebs' site and catch up on the small businesses getting slaughtered by the current wave of malware. Banks won't protect their corporate clients - only personal clients. Why? Because personal accounts are of no interest to the 'bad guys' - no one cares about an account with a balance of $23.45. But give the bad guys a corporate account with a few hundred thousand and they're on it like flies to cow dung.
'All the victims we've worked with had perfectly installed antivirus - they all had intrusion detection systems and several had web proxies scan content.'
- Alex Stamos, iSEC Partners
Banks only protect those clients that don't need protecting.
Banks could do more to protect corporate clients but they don't need to - they're protected by the fine print in their contracts. Banks could institute controls such as used by the credit card companies. But that would cost extra and again: they don't need to. The clients are at fault for lax security - for using Windows.
Corporations everywhere could immediately improve their security (and basically run the bad guys out of business) by simply using 'live CDs' for their online banking. Banks will never abandon online banking - a website doesn't ask for holidays, medical care, a monthly salary. Banks lose nothing with the current scheme of things. So it's up to the clients.
But will the clients smarten up? Will they abandon Windows? Will they at least start using live CDs for their online transactions? The botnets could be out of business by tomorrow. Will anyone do anything?
Don't count on it.
There aren't any good guys. You realise that, don't you? You realise there aren't evil guys and innocent guys. It's just a bunch of guys.
- Steve Arlo
IT World: Security industry faces attacks it cannot stop