Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Malware vs. Anti-Malware, 20 Years Into The Fray

timothy posted more than 6 years ago | from the might-as-well-enjoy-it dept.

Security 62

jcatcw writes "Steven J. Vaughan-Nichols considers the dissimilarities between malware of yore and current infiltrations as we approach the 20th anniversary of the Robert Morris worm. Modern malware apps curl up and make themselves at home in your system, where they wait for a chance to snatch an important password or a credit card number. Welcome to the era of capitalist hacking. Any self-respecting malware program today is polymorphic, making signature-based antivirus approaches difficult. Heuristics and virtual sandboxes offer alternatives, but all such methods are reactive. Unfortunately, monitoring lists and networks is about the only current alternative."

cancel ×

62 comments

Sorry! There are no comments related to the filter you selected.

There is no cleanup anymore (3, Interesting)

Toreo asesino (951231) | more than 6 years ago | (#23313488)

Some malware i've seen has become seriously soffisticated, so much so cleaning it is basically impossible.

Non-admin rights, client-side file-scanners, web-side black-lists, and user training is the only way malware is going to go away.

Re:There is no cleanup anymore (3, Insightful)

wizardforce (1005805) | more than 6 years ago | (#23313596)

not only that but a more varied OS/software environment would lessen the damage that could be caused by malware/baddies in general. homogenization is likely one of the worst things to have ever happened to software in general.

Re:There is no cleanup anymore (1)

everphilski (877346) | more than 6 years ago | (#23313644)

more varied OS/software environment would lessen the damage

Only if we don't unify our code, which probably won't happen because people will want to target broad user bases. When code can be compiled on a Windows machine to target a Linux machine, you still have problems.

Re:There is no cleanup anymore (2, Funny)

RiotingPacifist (1228016) | more than 6 years ago | (#23314734)

Surely then youd need to bundle GCC with your virus because most people dont have a compiler, meaning all viruses would be GPLd and you have to have to offer every machine you infect the source...hmm

either that or you have to develop a self compiling virus, which has the chance of suffering random code changes and evolving...hmmm

Re:There is no cleanup anymore (1)

electrictroy (912290) | more than 6 years ago | (#23322508)

OFF BUT RELATED TOPIC: I just wiped my Compaq laptop using the Manufacturer-supplied CDs. I barely had the "new" install turned-on 5 minutes, and suddenly I get a popup telling me to go visit registrycleanerxp.com (known malware).

Is it possible Compaq sold me infected CDs???

I shouldn't have a virus after a brand-new install.

Re:There is no cleanup anymore (1)

jotok (728554) | more than 6 years ago | (#23323376)

Was it online? SANS used to track the time-to-infection for an unprotected system connection to the internet (it was between 10 and 15 minutes a few years ago) and noted that this was less than the time it took to download and install a firewall, updates, patches, etc.

Re:There is no cleanup anymore (1)

Deanalator (806515) | more than 6 years ago | (#23315720)

I disagree, but I have heard this a lot. I really have no idea where this idea comes from. If you have a wide variety of operating systems deployed, you are vulnerable to every new exploit that becomes available. Once on your network, almost any software deployment system is vulnerable to local network attacks, and then the rest of your network gets owned.

I would argue for putting every OS deployment on its own vlan, and then using NAC to make sure they are all properly patched before getting out.

Homogenization reduces attack surface, and simplifies management, which is almost always a good thing from a security perspective.

Diversity is a healthy thing! (1)

Jane Q. Public (1010737) | more than 6 years ago | (#23320944)

When you have a diverse collection of applications and ideas behind how those applications work, you have a continual flow of ideas. If, on the other hand, you have a monolithic OS that enforces "this is how you shall behave", you see less innovation and fewer new ideas.

DUH.

Diversity is HEALTHY.

As opposed, for example, to forced quota-based mixing-up. As in college "affirmative action", which serves to homogenize colleges throughout the U.S. based on, of all things, "national averages" rather than actually encouraging differences.

Listen up Microsoft, and Universities too: Diversity is healthy. But you do not gain real diversity by imposing a "standard" from the top down. It just doesn't work that way. But if you allow diversity to percolate from the bottom up, you are likely to be successful (as many Open Source operations can tell you today).

So up your bottom, I say.

Re:There is no cleanup anymore (1)

GlL (618007) | more than 6 years ago | (#23314852)

I work for an ISP and my user base is a range from large corporations to grandma. I can't enforce 3 of your 4 suggestions, and the fourth could get me sued for violating someone's first amendment rights if I black-list the wrong IP range.

Non-admin rights are fine to a point. There still can be compromise issues without admin rights. You can still compromise the administrators as well.

Client-side file scanners are and will always be one step behind the bad guys.

Web-side blacklists, while being the best way to block things, still doesn't address the shifting nature of these guys, and opens up new realms of blackmail or DoS attacks.

User training is a great idea, but half of my users barely have the skills to follow simple instructions that involve using the dreaded right mouse button. Seriously, this isn't going to work for me because of the extreme diversity of my userbase.

My conclusion is that malware is never going to go away as long as the rewards outweigh the risks in creating it. In other words, there will always be malware, because risk assessment is based on personal perspective.

If everyone were to switch to a different OS tomorrow, malware authors would still look for and find ways to compromise systems. There are always going to be security holes between the ears of PHBs and other forms of end users and even techs.

As my sig says I am a bit of a pessimist. I am very certain that if we haven't destroyed our civilization in 100 years we will still be 1 step behind malware authors.

Re:There is no cleanup anymore (1)

the phantom (107624) | more than 6 years ago | (#23318926)

Minor point: unless your ISP is run by or funded by the the government (federal, state, or local), you would win a first amendment suit. The first amendment controls what congress can do, and is applied to the states by way of the fourteenth amendment. That is not to say that you wouldn't be hit by problems with common carrier laws, but the constitution has very little, if anything, to do with it.

Re:There is no cleanup anymore (1)

GlL (618007) | more than 6 years ago | (#23319210)

Actually, we are tied in with a local government who put in fiber and cable, and maintains the routing, so that adds "fun" legal complexities to our mix.

Re:There is no cleanup anymore (1)

the phantom (107624) | more than 6 years ago | (#23319710)

Ah. I see. That makes sense. That must suck. ;)

Re:There is no cleanup anymore (1)

Crayon Kid (700279) | more than 6 years ago | (#23317318)

Non-admin rights, client-side file-scanners, web-side black-lists, and user training is the only way malware is going to go away.
Yeah, 'cause we've seen how great all these methods have worked so far. We're using them for 20 years now and malware's doing better than ever.

You know what I find interesing about all these methods you listed? They all assume that security has already been breached, that malware is on your computer, and attempt to contain damage and patch things up.

Is it just me that finds this approach FUCKING STUPID? Oh look, it's not just me [ranum.com] .

Here's a radical new crazy idea: how about fixing security holes so that malware doesn't get in in the first place? How about spitting in the face of the software makers that push shoddy flawed products on us? Or on antivirus makers, their protection schemes and parasitic way of life?

And why the hell do computer users assume that getting malware on your computer is the norm? Would they also consider someone breaking in their house normal? Bloody no, they'd scream and have a fit. Why is it not ok to have your house browsed through by strangers, but it's ok for your private files?

Because we're soft in the head, that's why. We, users, have picked up some very bad habits because a fucked up software industry is doing a sloppy job and then blows smoke in our eyes and tries to pretend it's "the hackers" fault, not theirs. "Oh noes, the bad hackers made a worm and there are losses of billions worldwide, let's shoot them when we catch them." I say fuck that, why the hell did the worm get into my system in the first place?

Re:There is no cleanup anymore (1)

Corwn of Amber (802933) | more than 6 years ago | (#23326462)

Non-admin rights, client-side file-scanners, web-side black-lists, and user training is the only way malware is going to go away.


I wish I had written the Checklist Form For Why Your Anti-Malware Idea Will Not Work already.

Non-admin rights : yeah, right. "Your mouse has moved : cancel or allow"?

Client-side file-scanners : reactive security. Useless. Moreover, there are tons of ways to hide malware so that file scanners don't see them.

Web-side blacklists : Not going to happen. When the file is on the blacklist, it already has infected boxen. And why should I trust you, your servers and your lists? And how do you sign files, with self-modifying, polymorph virii?

User training : ... I can't even find anything funny on that one anymore.

No, the only way is to use semantics. What has the user installed? What does the user need? Whitelisting is the only way to go. And use the NX bit. And randomize memory addresses. (I can't begin to understand how comes we had to wait THAT long before SOMEone figured out that abstracting lib calls off the memory addresses would be a GOOD idea! I thought of Just That the very first time I ever thought of programming an OS. Not for security, even - for EASE.)

A list of the software you use, an unflashable BIOS for security only (with no bug whatsoever, and I want it proven in math and by design-by-contract andd total testing for all possible values at every level), fill in missing info automagically, check every incoming network packet for consistency, put everything in memory in tight, tight containers like Microsoft Singularity, and voilÃ, perfect security, unbreakable, forever. VoilÃ, solved.

Robert Morris, OMG (5, Informative)

Anonymous Coward | more than 6 years ago | (#23313560)

Come on, the guy's name is Robert Morris:

http://pdos.csail.mit.edu/~rtm/

You're thinking of the William Morris talent agency in Hollywood, or something. Mods, please correct this.

Re:Robert Morris, OMG (1)

Chris Mattern (191822) | more than 6 years ago | (#23314084)

I prefer to think of this William Morris. [wikipedia.org]

Wyrm with Nicely Textured Paisley Wallpaper (1)

billstewart (78916) | more than 6 years ago | (#23314896)

That was the William Morris I thought of first as well:-)

Re:Robert Morris, OMG (1)

lgw (121541) | more than 6 years ago | (#23315114)

Robert T Morris, in fact: he claimed the worm was an unintentional result of not having understood an API he was using, and the worm was immortalized as the "RTM worm", or the "RTFM worm" to some. I still think of his as "Robert T Fucking Morris" because of this.

Re:Robert Morris, OMG (1)

jcatcw (1000875) | more than 6 years ago | (#23315380)

"You're thinking of the ..." Aren't you nice! Thinking you say. Apparently not.

Some ways to win. (2, Informative)

apathy maybe (922212) | more than 6 years ago | (#23313622)

Don't install system wide untrusted software, only use signed software from your public repository or from trusted vendors.

Prevent any other changes from being made to the system, mount system partitions read only.

Where users are installing software, force it into a sandbox (one for each application). Each sandbox will have limited access to the network, user files and hardware (such as web cams and microphones).

The simplest solution is to never allow software from users to run (mount home partition as no-exec). However, this doesn't cut it much of the time, which is why I would suggest doing something similar to no-exec, but as a sandbox rather then not running the file at all. I'm not sure how hard that would be, but I'm sure it is possible.

(Oh wait, are we talking about MS Windows here? I guess you can ignore what I said then...)

How does a vendor become trusted? (2, Interesting)

tepples (727027) | more than 6 years ago | (#23315120)

only use signed software from your public repository or from trusted vendors.
How does a vendor become trusted under your best practices?

Re:How does a vendor become trusted? (1)

apathy maybe (922212) | more than 6 years ago | (#23316272)

A vendor is someone with a name, a face, a business name, an email, a phone number, a building address and so on. A trusted vendor depends on your criteria and could range from the length of time a vendor has been in operation (i.e. don't trust a two week old start up), the size of the company (a two person job might be less trust worthy then a 100 person place), and other such possibilities.

Of course, when it comes down to it, do I trust Microsoft? Well, no, they have a history of making buggy products, even if they are large and have been around a while. Do I trust IBM or Sun? A lot more then I do Microsoft, especially if the tool I'm using is free software.

And often, the most important part of trust is having that support contract if something goes wrong.

-----
While I'm at it, another thing to chuck into the "how to win", backups. If something does go wrong, you can restore the system to before it went wrong, and prevent that thing from happening again.

I don't know of any tool similar to System Restore Points from MS Windows in GNU/Linux land, but dd could easily do a similar job.

Re:How does a vendor become trusted? (1)

tepples (727027) | more than 6 years ago | (#23316500)

A vendor is someone with a name, a face, a business name, an email, a phone number, a building address and so on. A trusted vendor depends on your criteria and could range from the length of time a vendor has been in operation (i.e. don't trust a two week old start up), the size of the company (a two person job might be less trust worthy then a 100 person place), and other such possibilities.
For PCs in a home environment, would you recommend criteria that shut out software developed and self-published by a micro-ISV [wikipedia.org] ?

I don't know of any tool similar to System Restore Points from MS Windows in GNU/Linux land, but dd could easily do a similar job.
Especially considering the more robust separation of programs and read-write data that the *n?x mindset has always encouraged.

Re:How does a vendor become trusted? (1)

apathy maybe (922212) | more than 6 years ago | (#23317422)

It isn't my job to decide what is a trusted vendor for you. That's your job.

Obviously single developer outfits are going to have more trouble being "trusted" if for no other reason then their signing key is not signed by some key company.

Personally, I tend to be a lot more willing to download random things off the web if:
The software is free software.
The website "smells" clean.
I've heard of the software (or had it recommended to me).

But that's for X/GNU/Linux, what about MS Windows? Well, I'm a lot more wary of that stuff.

Re:Some ways to win. (0)

Anonymous Coward | more than 6 years ago | (#23336008)

"(Oh wait, are we talking about MS Windows here? I guess you can ignore what I said then...) - by apathy maybe (922212) on Tuesday May 06, @12:49PM (#23313622) Homepage
Don't ignore this though:

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "fun" to do, via CIS Tool Guidance:

http://www.hftonline.com/forum/showthread.php?s=c67119c3df8a1bc8e9ba9a03b726f4fb&t=18589&page=2 [hftonline.com]

It works, and overcomes your objections/statements (& also agrees w/ some of your points as well, via ACL/DACL usage in security policies &/or NTFS filesystem + Registry access rights etc. by USERNAME, & instructs users how to implement this level of protection also) in your post above mine here.

Who the hell is William Morris? (3, Funny)

nuzak (959558) | more than 6 years ago | (#23313736)

Wish I could get paid just for clicking "approve" and filling in the text in the "from the ____ dept".

Re:Who the hell is William Morris? (0)

Anonymous Coward | more than 6 years ago | (#23313916)

Who the hell is William Morris?
A socialist wallpaper designer.

Joking aside, he was a major force in the Arts and Crafts movement and also a man with an interest in political thought and a poet and novelist.

Anyone who hadn't at some point seen a replica of one of his designs would have had to have been living at the North Pole.

This was built for him:

http://www.nationaltrust.org.uk/main/w-vh/w-visits/w-findaplace/w-redhouse/ [nationaltrust.org.uk]

Sorry, but... seriously: Who the f*** cares? (0)

Anonymous Coward | more than 6 years ago | (#23313796)

This is no flame. But after postings like "30th anniversary of spam" etc... ...Do we really have to remember the anniversary of every crap "invented"?

Re:Sorry, but... seriously: Who the f*** cares? (1)

DarkOx (621550) | more than 6 years ago | (#23314248)

Do we really have to remember the anniversary of every crap "invented"?
No we don't but people who are interested in that particular "crap" will. You can move on to the next article if you're not interested. You can accomplish this either by utilizing the scroll bar at the right of your screen or your down arrow key. Glad I could be of help.

Re:Sorry, but... seriously: Who the f*** cares? (0)

Anonymous Coward | more than 6 years ago | (#23315968)

You can accomplish this either by utilizing the scroll bar at the right of your screen

I use Lynx, you insenstive clod!

You are absolutely correct, there is no clean up. (0)

Anonymous Coward | more than 6 years ago | (#23313830)

It also benefits certain software companies that there is no real clean up.

They can tote their next version of their OS as having new security features to prevent this problem, while other avenues of exploit will happen.

Remember the UPNP vulnerabilities? Countless other problems with windows as it is shipped?

Remember there is an industry right now built around "Security" not as we know it, but as the consumers of computer hardware know it.

Anti-virus and "Firewalls" for their windows machines.

Follow the $$$. If we had secure operating systems, you think all the A/V and other companies would make money? They would have to change their business model.

There is logic behind all of this.

Re:You are absolutely correct, there is no clean u (1)

couchslug (175151) | more than 6 years ago | (#23314210)

"It also benefits certain software companies that there is no real clean up."

It further benefits computer shops and geeks who get paid to nuke and pave compromised systems. If Windows were robust and easy to "disinfect" I would have far fewer free computers and less pocket change. :)

Re:You are absolutely correct, there is no clean u (1)

drsmithy (35869) | more than 6 years ago | (#23315770)

If we had secure operating systems, you think all the A/V and other companies would make money?

Of course they would. AV and anti-malware software isn't there to replace OS security, it's there for when the OS security has already been circumvented (typically deliberately by the end user).

No amount of OS security will protect the machine from an end-user deliberately running malicious code.

Criminals and Elections (4, Informative)

mcelrath (8027) | more than 6 years ago | (#23313896)

Between spam, malware, and credit card fraud, the criminals are winning, big time.

The eventual consequence of this is a faltering of trust in our financial systems and economies, and the rise of new kinds of criminal mafias, with billion dollar portfolios. If you thought the mob was scary, wait until you see what rises out of the ashes of the current system.

The solution to this, I believe, is first to limit the information transferred in any transaction to that which is necessary for the transaction (no grocer, you don't need to know where I live); second to implement electronic cash (in the current credit card system you give authorization to perform transactions at any time in the future without verification); and third to establish and teach strong cryptography for communications, transactions, and identity.

But the biggest thing we can do now is get the world's police forces to get off their asses. As long as these things are not prosecuted, criminals will flourish, and they are.

It's time to make this an important issue in elections, before we all lose big.

Re:Criminals and Elections (1)

Presto Vivace (882157) | more than 6 years ago | (#23313984)

But the biggest thing we can do now is get the world's police forces to get off their asses. As long as these things are not prosecuted, criminals will flourish, and they are. Word. The behavior you reward is the behavior you will get. The current non-system rewards malware with little downside. Really, voters don't like malware, why hasn't some ambitious commonwealth's attorney or state attorney general gone after this?

Re:Criminals and Elections (1)

geminidomino (614729) | more than 6 years ago | (#23314102)

Really, voters don't like malware, why hasn't some ambitious commonwealth's attorney or state attorney general gone after this?
One did, but then they made him governor and he got caught banging a hooker or something.

Re:Criminals and Elections (1)

Presto Vivace (882157) | more than 6 years ago | (#23314328)

well, he can't be the only ambitious AG, they can't ALL be clients for hookers.

Re:Criminals and Elections (1)

troutsoup (648171) | more than 6 years ago | (#23320444)

radio shack was the worst about this. you'd tell em that you were buying a dollars worth of random substandard parts for a quick project and they wanted your address and phone number.

tell em no thanks and they would chime in that they could then send you catalogues. well what was my phone number for?

i found it easiest to tell em my name was "jim john joe billybob" and my address was 123 A St. and make up a phone number with the local area code. then complain if they thought it was hokey. i wonder if jim john joe billybob ever got all those catalogues???

Throw out 2 level access control! (3, Insightful)

Anonymous Coward | more than 6 years ago | (#23313906)

The whole way security is treated needs to be changed. Having root and an ordinary user just doesn't offer the level of granularity that users need. As a user I want to be able to do everything on my computer, what's really needed is fine grained access control per program. Of course, that has issues with users having to grant those privileges but you could have profiles. Imagine installing Evolution or something and it pops up and says "This software says it's a mail client, does that sound right to you?" and then what privileges it gets granted will be set by a "mail client" profile already installed on the system.

When you need to install something esoteric then you would have to do some more advanced steps but if you are installing something strange then you probably know what you are doing anyway.

This could maybe be combined with some sort of trust network. Say your friend installs something that needs non-standard access rights, they could grant the required permissions and create a new profile. You would have them in your trusted list and would have access to all of their profiles so when you install that application, it can categorise it using the info your friend provided.

I think this system provides a good balance between really fine grained permissions and not blindly clicking through loads of confirmation dialogs.

Re:Throw out 2 level access control! (1)

evilphish_mi (1282588) | more than 6 years ago | (#23314068)

That sounds good, but I don't think the average user has the patience for a system like that. I know even as an IT guy it would get a little old. And unfortunately I don't trust the software venders to come up with an effective automated system that would lessen the required user intervention.

Re:Throw out 2 level access control! (1)

Joe The Dragon (967727) | more than 6 years ago | (#23315482)

even then Malware can still read your user data files and upload them to the bad guys.

Re:Throw out 2 level access control! (1)

drsmithy (35869) | more than 6 years ago | (#23316502)

The whole way security is treated needs to be changed. Having root and an ordinary user just doesn't offer the level of granularity that users need. As a user I want to be able to do everything on my computer, what's really needed is fine grained access control per program. Of course, that has issues with users having to grant those privileges but you could have profiles. Imagine installing Evolution or something and it pops up and says "This software says it's a mail client, does that sound right to you?" and then what privileges it gets granted will be set by a "mail client" profile already installed on the system.

It won't work because such a system will pretty much require most programs be distributed with their own, tailored profile with "appropriate" permissions. Naturally, instead of actually trying to do it properly, developers will just distribute their software with a profile that lets their application do anything (as will every little flash game, and the like).

You can't secure a system where ignorant end users are allowed to make critical security decisions. Not now, not ever.

Re:Throw out 2 level access control! (1)

zblack_eagle (971870) | more than 6 years ago | (#23319472)

The way I imagined program access control was that each user program would be confined to a sandbox where it only had access to its application directory, a (system configured) data directory for that application and basic OS API functionality. If an application wants network access, it can request it from the OS and the OS will ask the user whether to grant the application the access it seeks. The user could be informed by the system what the implications of granting access would be. It could prompt a single time and only prompt again for all privileges if the application is changed.

Such settings would also be configurable in a system control panel outside the application sandbox. Administrative users could set application access permissions and deny non-admin users from ever configuring them. And as far as basic functionality like read/write access to a file, the OS would ask the user which file and the application would have the desired access to that file so long as the file existed, user permissions notwithstanding.

time to throw malware in jail (1)

Presto Vivace (882157) | more than 6 years ago | (#23313930)

I just don't understand why malware isn't considered a form of vandalism and prosecuted as such.

Re:time to throw malware in jail (1)

hvm2hvm (1208954) | more than 6 years ago | (#23315652)

I don't think it would work. The same way the war on drugs doesn't work and never will. When people want/need something bad, they'll pay for it. When there is enough money involved someone will use all the means necessary to provide those things. Making anything illegal just creates more criminals and sociopaths. That in turn leads to more police which are anyway fallible to corruption. Don't fight the effects, fix the source of the problem. Make people aware of the dangers of malware. I know it's been said a lot but it's the only real way of fixing it.

Re:time to throw malware in jail (1)

Sobrique (543255) | more than 6 years ago | (#23323520)

TO be fair, distribution/creation of malware -is- something that can be stomped upon. Various juristictions have computer use/abuse/misuse legislation.

But either way, it's like trying to change the weather by pissing in the wind. Isn't going to do much, apart from getting you dirty.

The _only_ solution to people using these powerful, complicated tools, without making a complete mess of them, is by adequate knowledge and training.

Until that exists, NOTHING that you do, precaution wise, is going to do any good.

Re:time to throw malware in jail (1)

hvm2hvm (1208954) | more than 6 years ago | (#23334742)

Yeah, what did I say?

"Capitalist" hacking? (1)

goldspider (445116) | more than 6 years ago | (#23314280)

"Welcome to the era of capitalist hacking."

What does the theft of personal information have to do with the private ownership and exchange of wealth?

Re:"Capitalist" hacking? (1)

businessnerd (1009815) | more than 6 years ago | (#23316664)

What does the theft of personal information have to do with the private ownership and exchange of wealth?
1) Hack system (manually or via malware)
2) Steal personal information
3) Sell personal information
4) ?????
5) Profit

Does "Hacker for hire" or "For profit hacking" work better for you? The correct term is "Cracker". Either way, it is a capitalist system that they function under. There is demand for a good (personal information). The cracker answers the demand by producing a supply of that good. The quantity of demand versus the available supply determines a price. People pay the cracker for the good which is later used to make more money through other nefarious activities. The cracker is like the wholesaler of ID and credit fraud.

Re:"Capitalist" hacking? (0)

Anonymous Coward | more than 6 years ago | (#23316996)

The biggest problems is credit card companies and banks don't really seem to give a shit about who can run up bills on their system. Nor do they really seem to care to validate the creation of new accounts.

So that means any crooked schmoe with your credit card number can put fraudulent charges on it. This can be obtained through phishing (Hey buddy! Get a free credit report!), through malware, through social engineering (they get service contracts with legit businesses and gleen data that way), and through other tricks such as stealing cookie data from other sites (some banner ads are dirty that way. Not to mention a lot of "trusted" sites seem to be blind to this too, as long as they get their ad money.)

The problem with other personal information, such as social security - is that it can be used to obtain credit. So if someone gets your social security number, they can make a fake credit account in your name. And again they go about running up the fraudulent charges. Guess who gets stuck with having to fix the mess of illegitimate debt and a bad credit rating? Apparently not the credit card companies or banks who allowed this f***ing problem to happen in the first place.

So until someone steps up to fix financial things with stronger verification and validation methods, all the security related to financial systems is pretty much useless. Sure it may be near impossible to break into a banking or credit system, but as long as they blindly trust outside data (billing requests or account creation) - they may as well be running unprotected XP SP1 boxes. It doesn't matter how the exploit is done, provided the end result is the same. (Stealing from you or the credit/bank institution and putting it in their pocket.)

NOT William Morris (2, Funny)

MadMidnightBomber (894759) | more than 6 years ago | (#23314316)

Everyone knows it was Philip Morris, the guy who makes the cigarettes.

There ARE other alternatives (3, Interesting)

Arrogant-Bastard (141720) | more than 6 years ago | (#23314738)

In re: "Unfortunately, monitoring lists and networks is about the only current alternative."

There are many alternatives to this, starting with: "Recognize that operating systems which are readily compromised by malware are broken and not acceptable for use." If you choose to use an OS which is so intrinsically weak that it cannot survive exposure to the (unfirewalled) Internet without anti-virus, anti-spyware, anti-adware, etc., then you have chosen poorly, and no subsequent choice you make will compensate for that.

A followup point would be "Understand that it is not possible to 'clean' a malware-contaminated system. The only acceptable course of action is to wipe to bare metal, reinstall, and restore from backups." While it might have been partially true in a limited sense that some malware could be removed by anti-whatever products, that's certainly not the case now: it's much more likely that malware will evade detection and removal. Of course, it serves the purposes of both anti-whatever companies and lazy system administrators to continue propagating this fiction, because if they actually had to scrub and rebuild systems as often as they're infested, they might have to face some hard choices that they'd rather not.

And an excellent set of auxiliary points may be found in Marcus Ranum's The Six Dumbest Ideas in Computer Security [ranum.com] , where he enumerates the most egregious (and sadly, most common) mistakes made by nearly everyone, including supposed "experts" with strings of meaningless, worthless certifications after their names.

So there are plenty of alternatives -- but choosing them and implementing them requires vision and insight, two qualities badly lacking in many in the profession.

Alarmist (3, Insightful)

redelm (54142) | more than 6 years ago | (#23314978)

Sorry, I'm not paranoid. Go peddle your fear somewhere else. Yes, there are real threats. There is also a cost both in money and peace-of-mind of fighting them.

There is a balance to be struck, and "Better safe than sorry" can be answered "better neither than either".

1 Print Page (1)

antdude (79039) | more than 6 years ago | (#23316384)

One page print page [computerworld.com] .

that's ROBERT Morris worm, son. (1)

swschrad (312009) | more than 6 years ago | (#23319212)

the "William Morris worm" sends you scripts, tries hard to get you to take a meeting, then charges 15%.

Agree with Criminals Winning (1)

Atticbat (933266) | more than 6 years ago | (#23320348)

Working with residential users on a regular basis, I have come to repeat: "There is no One Program that rule all malware (and I explain malware includes all the crapware since They figured out profit was to be made online). Safe surfing habits are the best defense against Malware." Soapbox aside, since Sony released rootkits into the wild, I have had more success with backing up data and performing the elegant Nuke and Pave. Format and reinstall. Without doing that, I have very little confidence in any of the existing spyware/adware/virus detection/removal programs available being able to 'clean' a pc. That said, when did Anti-Malware become a million (or billion) dollar industry??? How is it anyone's best interest to 'cure' the internet of hostility. It is so profitable for both white and black hats. Frustrating to say the least.

Terrorist Malware (1)

mlush (620447) | more than 6 years ago | (#23322074)

Why have we seen no 'terrorist malware'?

I would naively assume that it would be easy enough to buy off the shelf botnet code release it and when it gets to a sufficient size upload something really toxic. For bonus points the attack could be limited via IP address or targeted at idealogically unsound files.

From a practical POV this sort of attack would circumvent the normal surveillance as there is no need to go to terrorist camps, no need to buy suspicious chemicals ... they would still need to keep their gobs shut.

Is running a botnet a hugely expensive/technical enterprise? (I've no doubt there are enough disaffected techies out there to run the thing)

Is it that cyperterrorism just seen as too wussy to bother with.... That does not seem to hold water, terrorism is about publicity one strike or even the rumor of an attack would generate hyterical coverage in the world press. Followed up with Billions spent on improved security (not such a bad thing:-).

Perhaps that is the reason why the bot herders don't want to get involved as it would poison their honey pot...

Re:Terrorist Malware (1)

Sobrique (543255) | more than 6 years ago | (#23323532)

I think it's more that a distributed denial of service attack, is just plain unexciting on the grand scheme of flying aircraft into office buildings.

No one ever died as a result of a computer virus.

Re:Terrorist Malware (1)

mlush (620447) | more than 6 years ago | (#23324198)

I think it's more that a distributed denial of service attack, is just plain unexciting on the grand scheme of flying aircraft into office buildings.

No one ever died as a result of a computer virus.

I wasn't really thinking of DoS ... how about on 8th August every infected computer overwrites its hard disks with copy's the the Lampton manifesto.

There are bound to be a few infected computer in hospitals airports, power stations etc. and it does not matter if they were not attached to anything important, the news story's will be all about how the Lampton worm nearly caused planes to fall, patents to die and 'endangered' the Grimbledown nuclear power plant.

Later on they will move to human interest story's about how the Gumby family lost every precious picture of their dead daughter, along with vastly inflated estimates of the total damage done and productivity lost and the new draconian security policy's that companys now 'have' to enforce.

Sure its no 911 and may not appeal to your typical bomb throwing nut, but perhaps it would appeal to a radical Anti-capitalist group, religious cult, student jihadist wannabes or loan fruitcake.

Sci-fi - AI (1)

Sobrique (543255) | more than 6 years ago | (#23323606)

I am reminded of a rather amusing sci-fi short story I read. I think it was Cory Doctorow's 'Robby the Row boat'.

But anyway, one of the ideas it espoused was that malware is what's driving systems development to the point of passing Turing tests. Between captchas, baysian filters, and similar 'proove you're a human' malware countermeasures, with virus heuristics, and malign software detection, you have a very potent 'reaper' process, which kills off substandard malicious code.

The stuff that sticks, is the stuff that's most adaptable, the most convincing Turing test faker, and as malware improves, so too does the counter-malware environment.

I mean, malware today, is actually working on detecting 'anti' malware, and trying to blind it or otherwise remove it - I've run into numerous trojans and bots that disable virus checkers for example.

OK, so it may be far fetched, but it's not all that unreasonable an extension of the automatic spam/virus/malware filtering and detection, vs. the subversive and adaptive malware out there.

Better computer architecture (1)

octogen (540500) | more than 6 years ago | (#23323952)

Instead of reactive solutions, better computer architecture could be a solution.

A so-called "worm" always spreads by injecting and executing its code into a vulnerable process on a remote computer. For example, on an IBM AS/400 it can not do this, because if you overwrite a pointer with data, then it is not a pointer anymore - so it can not be used to address memory (that's why the machine actually has 65 bits instead of 64 bits, the 65th bit is a tag flag that marks pointers. aka pointer in memory protection).

Actually, you do not need much more than different instructions for data moving and address calculation, and instructions to mark code as code and data as data, and almost all possibilities to write any malware that installs itself are gone.

Unfortunately, as long as companies can sell current computer architectures, just because they are barely good enough to do some work sometimes, noone is going to build such a better, new architecture.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>