The Threat From Within
Computer Security 101 for the Small / Casual User, Part 2.
With our properly configured outboard firewall in place (see last month's “Rant”), we can now address step two, which is securing (to the extent possible) the target PC itself.
First, recall what we said last month about how all so-called "security vulnerabilities" are actually created by bad software. That is fundamental to both understanding the problem, and effectively solving it. After all, software which is not running on the target system cannot compromise it. From this it follows that, at least as a general rule, security is not enhanced by adding software (especially software which, in order to do its job, must be executing constantly) to a system. It is enhanced by removing the software which produces the security vulnerabilities in the first place. Now, if you're like the vast majority of users out there, the first thing you need to remove may come as a surprise (or not): That would be Windows itself — more specifically, Windows XP or later. As you probably know, Windows in general has long had a miserable (and at least mostly well-deserved) reputation for being the security equivalent of a tissue paper door (and just about as robust in general). But Windows XP is notably different in this respect than any of the versions which preceded it. Sure, it's still subject to the usual array of complaints (i.e., that it's buggy, unstable, illogically designed, full of infuriating flashy but useless “features” that just get in the way until you manage to turn them off, etc.) commonly lobbed at Windows. But in terns of your security, Windows XP is it's own very large Pandora's Box, notwithstanding all those other issues. For just one supporting data point, consider this search page from US-CERT[1]. As of this writing, that search produces an even 100 “hits”, each of which represents a currently known security hole in Windows XP for which no patch or work-around is available. This is by far the worst “report card” on outstanding Windows security exploits since I started loosely monitoring this site some years ago. In other words, despite Microsoft's grandiose claims, the situation is getting worse, not better. The situation is so bad that the average newly installed Windows XP system connected to the Internet has an Adjusted Survival Time (meaning the mean time before it is more likely than not to be infected by a virus, worm or Trojan) of as little as 20 minutes!
But that's not the worst of it. You see, above and beyond the plethora of putatively “unintentional” security holes cited on that dismal US-CERT list (but also part of the reason they exist) is the fact that Windows XP is deliberately designed to be insecure. Yes, you read that right: It is deliberately designed to be insecure — at least from your point of view. To clarify: Windows XP is designed to enhance the security (and profits) of Microsoft and certain other software/media vendors, at the expense of your security. This issue, while compelling and highly deserving of a full exposition, is simply too large and complex to fully explicate in the course of this article; and so, it will be the primary focus of a future “Rant”. But in the meantime, refer to these previous articles by other authors for a sneak peek at some of the problem areas and underlying issues:
Windows XP Shows the Direction Microsoft is Going by Michael Jennings, Futurepower® Computer Systems
What Windows Knows, Windows File Updates, and Know Your Upgrades; all by Brian Livingston, for InfoWorld Magazine
The TCPA FAQ by Ross Anderson, Professor of Security Engineering, University of Cambridge Computer Laboratory.
In short, Windows XP is, to put it bluntly, a security nightmare, much worse in this respect than any previous version of Windows. It cannot be adequately secured though patches, add-ons, settings changes, and tweaks. And just in case you are enough of a cockeyed optimist to think this will ever really be “fixed”, consider the fact that the upcoming “Vista” version of Windows is actually going to be much worse — by design[2].
So the next obvious (if rhetorical) question becomes, “If not XP (or Vista), then what?”
Ideally, the answer would be, "Not Windows of any stripe." And given the advanced state of development which some far more secure (and far superior in general) Operating Systems such as Linux have achieved over the past few years, that answer is actually practical for an ever-growing number of users. Notwithstanding the mountains of FUD perpetrated by the Microsoft marketing mavens, Linux is a perfectly workable solution for many — perhaps most — current Windows users. But this too is a topic which needs its own full discussion; and so it will be left for another day when time and space can do it justice. In the meantime, I will simply acknowledge that many Windows users believe that they “must” run Windows; and therefore, at least most of them will run Windows, whether that belief has any basis in fact or not.
But all is not lost, even for these poor misguided fools.
As touched on above, the introduction of Windows XP represented sort of a quantum leap (for the worse) from earlier versions in several key ways. Since many of the problems discussed above were either introduced with or exacerbated by design changes made to Windows with the release of XP, it follows that a great many of them can be neatly side-stepped by simply reverting to the next-older version of Windows — i.e., Windows 2000 Professional[3]. This is by no means a complete solution. A great number of patches and modifications must still be made to Windows 2000 before it can be considered even marginally “secure”. But it is nonetheless a giant step in the right direction compared to Windows XP, and one which makes implementing an “acceptably secure” (which you should realize is still a notably different thing than “completely secure”). Windows-based computer feasible.
A complete and thorough discussion of the necessary patches and modifications for Windows 2000 is outside the scope of this article. But the most important one is far too crucial to not mention: Both Internet Explorer and its integrated sub-client Outlook Express must be completely removed from the system, if even a semblance of safety and security is to be expected. You see, throughout this article, I've been keeping a small secret; but now it's time to let the cat out of the bag, so to speak: Over the history of both Windows and Internet Explorer, the majority — perhaps the vast majority — of the reported “security holes” commonly attributed to Windows have actually been embodied in IE/OE, not the core operating system itself[4]. Without question, Internet Explorer is the single most dangerous “legitimate” application program (as opposed to obviously “illegitimate” programs such as outright Trojans, blatant cracking tools, and virus-infected “Warez”) to have ever been widely distributed to the public.
While Microsoft has been furiously releasing Band-Aid® patch after Band-Aid® patch for Internet Explorer for several years in an attempt to plug some of these holes, that pursuit is clearly futile, as new holes keep getting discovered on an almost-daily basis. More ominously, like many of the above-noted problems inherent in Windows XP, this is at least largely by design[5], not oversight; therefore, no amount of .“patching” or “updating” can ever make Internet Explorer acceptably secure. And no, just forgoing intentional use of it in favor of another web browser (such as the excellent Firefox or K-Meleon) isn't good enough; Internet Explorer must be actually removed from the system with the key files permanently deleted. Failing that, you have a ticking time bomb embedded in your computer, ready to explode at the most unexpected (and no doubt inconvenient) moment. This is due in part to Windows lousy type-checking functions, which enable Internet Explorer to be automatically launched though all manner of mechanisms putatively unrelated to web-browsing, including responding to mis-named executable Trojan Horse programs masquerading as “innocuous” file types such as JPEG images and similar.
You may be aware that Microsoft has long claimed that Internet Explorer is an “integral part of the operating system”, and cannot be uninstalled. That is, to put it bluntly, a pile of hogwash — FUD at it's finest, and arguably rising to the level of Perjury when they attempted to foist that claim off on the Federal courts during the infamous DOJ anti-trust case (which they “skated on” by virtue of a fortuitously timed change of political administration and the subsequent failure of the then-new Attorney General to vigorously pursue the case). In point of fact, there are at least two basic approaches to removing Internet Explorer from recent versions of Windows. One is to first install Windows in it's stock form, then immediately use a third-party utility program such as XPlite/2000lite to uninstall Internet Explorer (and presumaby other undesirable modules, sub-programs and applications which the standard Windows Installer forces to be installed); the other is to create a customized install CD with hand-modified .INF files and other patches, then install the modified operating system onto a freshly formatted hard disk. I will not be going into procedural detail beyond that here; so if you do not consider yourself competent to reliably exercise one of these two options, then you need to either hire someone to do it for you, or stop using Windows, or stop connecting to the Internet. There really are no other viable choices. And given the essentially inevitable ultimate result of permitting a standard-configuration Windows-based computer to connect directly to the Interent that we have discussed over the past three months, if you fail to exercise at least one of these five options, you are unavoidably being actively malicious to the rest of the 'net every time you go online, whether you know it or not.
And now, you know it.
Footnotes:
[1] US-CERT is the United States Computer Emergency Readiness Team, a public coordination center and clearinghouse for computer and Internet-related security issues with potential public safety implications. It is funded by the Department of Homeland Security, and operated by Carnegie-Mellon University.
[2] For just the proverbial “tip of the iceberg”, see these two articles from BadVista.org :
Analysis of Microsoft's Suicide Note (part 1)
Analysis of Microsoft's Suicide Note (Part 2)
[3] Windows 2000 was also produced in a “Server” version, which later became “Windows Server 2003”; and to some extent the comments above regarding “Windows 2000 Professional” also apply to these versions. But since these versions are not appropriate for general-purpose use in Home and SOHO environments, they are outside the scope of this discussion.
[4] Some of this mis-attribution is can be traced back to Microsoft's long-running (but highly disingenuous) PR campaign which claims that, starting with some releases of Windows 95, Internet Explorer was and is an integral part of Windows, as opposed to a normal application program. As discussed above, this claim is false.
[5] In addition to the Windows-specific design issues discussed earlier, which largely impact in the form of insidious privacy invasion and draconian DRM matters, the integrity and efficacy of Internet Explorer has long been further corrupted by Microsoft's equally long-held "Embrace, Extend and Extingush" approach to software design, especially in the form of such travesties.as ActiveX, which has become widely nicknamed “ActiveXploit” due to its near-limitless susceptibility to malicious attack by Trojans, viruses, and Worms.
Band-Aid® is a registered trademark of Johnson & Johnson Consumer Companies Inc.
|
|
|
