You must have heard the story about the frog that sits in a pot of water that is gradually heated. The process is slow and the frog doesn’t notice as the temperature inches up, even when it gets quite hot. Finally, it is too late and the frog is boiled. Well, we are all frogs in the computer security pot and it is getting awfully hot.
The manufacture and application of malware is no longer the province of script kiddies, thrill-seeking hackers, and occasional malcontents. It has passed into the hands of professionals who are in it for the same reason as bank robbers- money. These people are in the full-time business of removing your wallet. They are located all over the world and are almost impossible to prosecute (if they are ever caught). Not only do they use sophisticated programming but like other types of con men they are masters of psychology and social engineering.
It isn’t just individuals who seem to be ignoring the rising heat. Institutions like banks have been shameful in their neglect of basic security practices. It’s the old story of human behavior when faced with an unpleasant prospect. They hope it’ll go away and they won’t have to actually confront the situation. Security is too much work. Security is inconvenient. Security is unpleasant. Security costs too much.
Well, the problem is not going away. It’s only going to get worse; there are too many easy pickings for the international gangs. The statistics that get reported are very discouraging. There’s no way of knowing the true numbers but various studies show that maybe 10 to 20 percent of PCs (or more) contain malware. Much of this is some form of Trojan horse that makes the unwitting owners of the infected zombie computer part of “botnet” rings. Even a small number of infected machines is a problem. The Internet is like a giant organism with low resistance and a few infected machines rapidly multiply their numbers.
In my opinion, this is a situation that is rapidly getting out-of-hand. It’s a mess that gets more complicated by the day. You are supposed to have a vast collection of software to guard you. You need a firewall. You need anti-virus, anti-Trojan, anti-spam, anti-phishing, anti-spyware. All of these programs do not always play well together. Yes, you can get suites but so far there is no suite without at least one or more inferior components. All these things running in the background result in a big hit to system performance. Next, you need constant security updates for all of this. And you also need security fixes for all kinds of other applications. You need to update Windows. You need to update your browser. You need to update Microsoft Office. You need to update Flash. You need to update Java. And so on. Then there is the problem that not everybody bothers to update. The software companies are trying to make the updating as automatic as they can but the statistics on the results are not good. People get “patch fatigue”. They get numbed by the constant drumbeat about new malware. Even businesses with full-time IT staff have a hard time keeping up. The fact is, even with constant updating, systems are still vulnerable to so-called “zero-day” and undocumented exploits.
Moreover, it’s not just the PC that is a problem. People are becoming more and more connected. Cell phones, iPods, Blackberrys, and other similar instruments are ubiquitous. The criminals are not neglecting these fresh pastures.
I could go on with the lamentations and hand-wringing but that becomes boring. Let’s look at possible answers. We have to begin with the sad fact that our fellow human beings are not to be trusted. Most of us are basically decent and responsible people who do not steal or enjoy vandalizing other people’s computers. We would prefer to be able to use the Internet in a spirit of community and trust. Unfortunately, there are always hoodlums and charlatans and sociopaths waiting to take advantage of our trust. So we have to stop believing everything that we read on the Internet. We have to treat all emails as possibly suspicious and never click on any links they contain. We have to regard unfamiliar Websites as potentially dangerous. We must test anything that we download before we install it to see if it is malware. We have to trust less and verify more.
Also, there is no getting around the fact that we must give up a lot of convenience. There is a clear trade-off between ease-of-use and security. Locked doors are less convenient to use than open doors. For example, online operations like banking will have to involve longer procedures. Security can be tedious but we must learn to live with computers that are harder to use. Reports on the Web about the annoyances of the new security features in Windows Vista illustrate that point.
Some people (usually officials who want headlines) suggest that more laws are the answer to the security problem so they urge or pass laws against Internet fraud. These efforts are so pathetic that I have to wonder how seriously the law-makers really take them. There are plenty of laws against fraud already. Does anyone really believe they are going to deter the gangs in places like Uzbekistan, and Iran, and Russia? However, if the legislators want to pass laws, there is a very important way that they could help. Let them make fiduciary institutions like banks more responsible for security breaches. At present these institutions are woefully inadequate in guarding your personal data or in guarding against phishing. (There are some exceptions like Bank of America and Vanguard that are beefing up their online security.)
If your identity is stolen, the burden is on you, not the bank. Let the legislators pass laws making the banks, stock brokers, etc. responsible for losses due to identity theft. Make them responsible for safeguarding your personal information. Make the institutions liable and then you’ll see a lot more security. Of course, this will cost money and make things like online banking less convenient but it has to be done. As long as it is really easy to steal somebody’s account information, thieves will thrive. As of now, institutions haven’t the incentive to do much about it.
I also believe that the current notion that the PC should be an all-purpose machine with the same basic type being used by everybody from grannies doing email to big businesses with large applications is fatally flawed. Microsoft and Intel and Dell have a big investment in this model so we are probably stuck with it for a while but it makes no sense. A whole lot of the people who use computers at home simply don’t need the power and flexibility of the current PC and they are completely unprepared to do many of the security measures that these systems require. I deal with a lot of ordinary people who have little understanding of Windows and no interest in learning details about how a PC operates. They want something that works like their other appliances. They want to turn the PC on, do some email, surf a little and that’s it. The needs of this large section of the PC users could easily be met with a machine that is a lot safer and easier to use than the present PC type. It would also be cheaper and that’s the rub; there’s no money in selling a box with limited functions. Unfortunately, these average users are the very people who are the biggest security problem. I gave a lecture to a group of average PC users recently where I asked how many had a firewall. About half either had no firewall or had no idea what a firewall is. About half did not have an up-to-date anti-virus subscription. Their machine had come with Norton or MacAfee and when the update subscription expired, that was that. This is not a scientific sample but it is indicative.
What about the defenses right there on our own PC? Can we improve them? In a previous article, “Do We Need a Paradigm Shift in Anti-Malware Protection?“, I suggested that the reactive approach with anti-everything software was clearly not working. The solutions mentioned in the previous article included using virtual machines and I think that may be the best practical solution.
There are various ways to configure your Internet browser to make your computer safer but that’s a subject that involves technical details and will have to wait for another time. Meanwhile, don’t let the criminals out there ruin your enjoyment of the wonderful world of the Internet.