Security and Privacy in a Networked World/PIBKAC

PIBKAC: Problem Is Between the Keyboard and the Chair
Let's imagine a fairytale - an evil wizard made all traffic cops to disappear. Soon, all driving schools and registration authorities followed. Finally, all traffic signs but a handful were gone too. After all this, the city traffic in this tale looked a bit like the Internet we know.

Billy's Plight
But let's come to the real world instead. Meet Billy McBuff - an honest family man, a car mechanic by trade. Billy saves some money and decides to surprise his family with a new computer for Christmas. The deal was good, all the necessary software came preinstalled with the computer and the salesman even threw a small printer in. Billy gets home, unpacks the device, a technician comes from the network company the next day and gets the Internet connection going. Everybody is happy, especially the children.

After some days, the computer starts to slow down. The disk whizzes and cracks even when nobody is at the computer. Some new icons appear too. Billy's new computer has been invaded.

The situation probably feels familiar. The problem is that Billy dealt with
 * computer dealer
 * software dealer (usually the same as previous)
 * network provider

Yet, his privacy and security was addressed by nobody. The outcome can be seen from e.g. here: http://www.securelist.com/en/analysis

A real-life example: The Tiger Leap
The Tiger Leap was a much-promoted programme to equip Estonian schools with computers. In many ways, it was a success - schools received new technology, training and materials were provided too. Yet, in one sense, the programme fell short.

Schools received new computers - at first one or two, later the full classroom sets. Training users (especially in security and privacy issues) was neglected.

A little later, the realization hit that the computers need software too. Official software deals were negotiated to counter the threat of license-violating ("pirated") software, some solutions were also homemade. Training users was, alas, largely neglected again.

Afterwards, somebody suggested that networks could be handy too. The connections used modems at first, later broadband was introduced. But again - training users was neglected.

Finally, someone looked at the situation. It was not pretty.

In times of old...
In early days of computing, cracking computers was
 * less malicious (a prank rather than an attack)
 * very seldom connected to money
 * a battle of equals
 * something that took skills
 * done by a handful of people (compared to today)

The turn of the century brought (among other things) Netbus, Back Orifice and Sub7. And the case of Magnus Eriksson (among others).

New goals
In today's war, it is often better to disable than kill - the enemy must take care of the injured combatants. Likewise, the viruses of old that reformatted the victim's hard drive are all but gone - the new malware is designed to keep the victim alive (sometimes even shutting out other viruses!), but the primary function of the computer will shift - first of all, it is to obey its new, distant master, working for its legal owner will be of secondary importance.

The mass factor
For every evil genius, there is a host of 'cannon fodder' (also called script kiddies) who lack skills and knowledge (and often also life) but have loads of free time to burn. And well-equipped fools are very dangerous.

As a dark side of 'information superhighway', the tools created by a small number of brilliant but malicious minds can be used by a much large number of unskilled but ambitious folks aspiring to be 1337 (pronounced 'leet' and meaning 'elite' in cracker slang) someday. A typical way of doing things is to repeatedly run a simple tool to scan a network segment for some specific vulnerability and then run another simple tool to exploit (or invade and conquer) it. Sometimes this is done just for fun, but working for some larger force is increasingly common (an example is RBN).

So, coming back to Billy McBuff, no one was actually interested in him as a person. All that mattered was an unprotected computer waiting to work for someone else.

"So what?"
A rather typical reaction on learning these things is "Well, I am nobody of interest. I'm not Madonna, Tony Blair or Roger Federer. Who would want my computer? And even if they attack it, it is nobody else's problem."

Wrong, it is. Nowadays, most infected computers end up in botnets - large networks of conquered machines under the control of network criminals. Large, well-built botnets provide equal computing power to the best supercomputers - and for a tiny fraction of cost (can be a couple of hundreds of dollars per day - http://blog.damballa.com/?p=330).

Botnets can be used for
 * sending spam and scam schemes
 * DDOS attacks (an increasing use is distortion; see below)
 * cyberwar and political attacks

"The offer you cannot refuse" (The Godfather)
It is an increasing type of network crime mostly targetting companies and persons in developed countries whose business depends on being online, but IT-competencies are limited. They will be contacted and demanded a sum of money - failure to pay would result in a DDOS attack that keeps them offline for an extended period. The attack can be bluff, but can also be real (botnets are cheap enough). As with any distortion scheme, a 'reasonable' demand invites payment - and it will be soon followed by a bigger demand.

What your computer is useful for
There are many opportunities:
 * store one's porn collection - and some sicker kinds of porn are very explosive (in legal terms)
 * store a lot of illicit software - BSA and Microsoft will probably be interested to know
 * create a communication channel for some darker purpose - e.g. an IRC channel to trade stolen credit card information, or to host a child porn ring
 * spam something
 * attack someone (directly or via middlemen)
 * online banking (using the victim's account)

Easy, cheap, secure - pick two?
A typical understanding is something like this:
 * a Windows PC is rather affordable and easy to use. Alas, it is not very secure (as about 99% of malware targets Windows).
 * a Mac - easy to use and rather secure. However, it is not really cheap.
 * a Linux PC (or a Mac running Linux) - cheap and secure, but not that easy to use.

Actually, it is not quite true, but it is difficult to overturn a widespread perception.

A remark on Apple
Apple users have been quite safe for a time - two of the reasons being small market share and being used mostly by professionals (i.e. intelligent people). As both of these factors have recently started to change, the situation may grow worse (first signs are already here - and in a limited manner, it may also be valid for the most mainstream types of Linux, like Ubuntu or Mint).

A serious factor here can be the 'walled garden' mentality displayed by Apple (as long as you stay within walls, we'll take care of everything!) - this does not help with awareness and knowledge. Even if the base of OS X is more secure than Windows, the PIBKAC factor may decide.

Hopeless...?
It is not that bad yet. Most simple (i.e. easy enough to be used by script kiddies) attack tools target neglected (no updates, lacking defensive measures) computers. Security is largely a reasonable balance between effort and expenses - when we install a good Abloy lock to our door, we do not aim to stop a Special Forces unit; the lock should however keep out the guy next door looking for funds for his next dose. So there is no 100% security - but there are reasonable measures for reasonable expenses.

What's da password?
Using weak passwords is one of the most dangerous habits of the 'Windows generation'. Why so? The first versions of Microsoft Windows (and before them, MS-DOS) were one-user systems without passwords. Windows 95 introduced a weak password system with no actual protection (Note: while Windows NT 3 appeared roughly at the same time and had actual password protection, it remained a niche product for businesses, while the everyday users mostly went with 95). The password on Windows 95 and 98 only protected one's desktop layout (icons and wallpaper) - pressing Esc bypassed it and provided the user generic desktop with all access rights. Later on, Windows 2000, XP and their descendants offered actual password protection - but the mindset of users was already tainted. Passwords like "123456", "password" etc are still common.

Another common problem was to use computers in admin mode. When mainstream systems (most of all, MS Windows) started to offer different account levels for ordinary users and administrators, a lot of non-technical people did not understand it. To make things worse, a sizable number of applications were built with administrator privileges in mind, so running them with limited rights resulted in limited functions. Thus, people grew used to run their systems in admin mode - and coupled with bad password habits, made their computers very easy targets.

Interestingly, the whole password hassle has a rather long history. The RFC (Request for Comments - a type of Internet policy documents) titled The Stockings Were Hung by the Chimney with Care was written by Bob Metcalfe back in 1973 and addressed exactly the same things...

Rinse & Repeat
The passwords should
 * be at least 15 (!) characters long - today, simple passphrases (e.g. "I don't like to throw socks") with enough length are preferrable over short and complicated passwords!
 * contain letters in both cases, numbers and (if possible) punctuation marks
 * the meaning should be easy to remember but difficult to deduce - when using a long passphrase, it should not be a common sentence (e.g. knowing the beginning to be "Wise man say", any fan of Elvis can complete it with "only fools rush in")

CERT recommends
See http://www.cert.org/tech_tips/home_networks.html - even if it's from 2006, most of it is still applicable. Main points:
 * When working from home, consult with the security guys at work
 * Use antivirus and firewall
 * Don't touch unknown attachments in e-mail
 * Don't use software from unknown sources (in some extent, it applies to open source systems too!)
 * Turn on display of file extensions (Windows hides them by default)
 * Update all software (including OS) regularly
 * When not using the computer, turn it off or disconnect from Internet
 * If possible, disable Java, Javascript and ActiveX
 * Turn off e-mail scripting
 * Backup important data regularly
 * Create an emergency boot disk for the computer

"Education breeds confidence. Confidence breeds hope. Hope breeds peace." (Confucius)
In many fields of today's life, it makes sense to leave more complicated tasks to professionals. Most of us do not repair our cars, build our homes or even grow our food. The same principle was true in computing - until Internet arrived. Today's computer user needs to invest in it - be it time, money or other things. A few lucky ones (e.g. those married to an IT expert...) can perhaps get by without learning themselves, the rest of us should learn.

The main things to learn include
 * knowing one's computer (i.e. main information on the major parts - a good self-test would be to read a computer sale advertisement and trying to understand it)
 * knowing one's software (what is installed in my computer - what was preinstalled and what was added later)
 * knowing one's way around (main directories etc)
 * updating the system
 * knowing most common maintenance software (antiviruses, spyware removers etc)
 * being curious and willing to learn

Bad Things
The "no-no" category includes
 * constant use in admin mode
 * simple and short passwords
 * forgetting to update
 * going to bad places online
 * typing one's e-mail address everywhere
 * opening strange attachments
 * installing unknown software

Some personal thoughts by the supervisor
Disclaimer. these are personal recommendations, your mileage may vary!


 * Drop Internet Explorer (and in older computers, Outlook). Lessens a lot of risks.
 * Install LibreOffice and use it as a primary office package (may keep MS Office for those documents not displaying properly in LO).
 * Using Linux whenever possible is a good idea.

Some other things
Technologies with a very poor security record include Flash, Silverlight, ActiveX and Acrobat. For a web browser, installing an ad blocker (e.g. AdAware) and script blocker (e.g. NoScript) can help a lot - for the latter, it makes sense to allow scripts permanently with well-known, harmless sites and allow them for a single session at places with lots of ads and suscpicious material.

An enlightening story from 2009 about South Korea locked into ActiveX can be found athttp://www.koreatimes.co.kr/www/news/biz/2009/09/123_52401.html

To sum it up
The situation is pretty bad - but not hopeless. Yet the PIBKAC principle is still valid. The only way to get rid of botnets is to keep computers off them. And this is up to you and me.