A month ago I downloaded a well-known shareware application from a download web site–a site that has been around long enough for me to recognize the name. I wanted to test the download speeds on a freshly installed Windows 2008 server in my data center and multi-threaded download managers are a good way to load up your bandwidth pipe. I double-clicked on the installer, saw my mouse turn to an hourglass, and then disappear. I saw the hard drive lights flicker a few times, and then nothing else happened.
I knew right away something wasn’t right and that was quickly confirmed when I realized I couldn’t launch Task Manager or Regedit: I was infected with malware. A trojan to be more specific.
In the last ten years I have been infected once or twice before–usually by something minor like spyware attached to a game my kids downloaded–but I had never anything major like this. Bringing up a command prompt, I quickly fought the infection with my arsenal of cmdlines I had gathered over the years. But once I thought I had the thing completely gone, it once again would appear in my task lists and runonce entries.
It didn’t take long for me to realize that it was using WMI events to keep itself alive on my system. Because these types of infections are difficult to detect and even more difficult to remove, I went after the file system, removing any binaries related to the trojan. Using timestamps and several SysInternals tools, I was able to eliminate all of the infected files, although the trojan was still active–albeit neutered–on my system.
I spent two days working on the server and ultimately ended up with a system that would blue screen before loading Windows. I finally just gave up and reinstalled the system to a fresh state. What bothered me most wasn’t the time I had wasted fighting this trojan, it was the fact that it had beat me. In fact, it beat me using the very same tactics I myself had developed and used over the years.
But as I got thinking I realized that what really bothered me is that this was a fully patched server running Windows 2008 behind two firewalls. And I was downloading a trusted application from a web site I recognized. And most of all, it bothered me that this is 2009 and I still got infected.
A decade ago I remember telling my clients that it would take ten years for the tech industry to get caught up with security. There was simply too much stuff to fix and not enough talent to fix it. Well that ten years has come and I wonder how those clients are doing now. The daily security headlines nowadays really aren’t much different than they were in 1999. Some new worm threatens the Internet infrastructure. Some .gov or .mil was hacked, probably by The Chinese, and it turns out you can still get hacked no matter how many initials you have after your signature and no matter how many standards you comply with.
It’s 2009 and I am still forced to use ancient, unencrypted protocols like FTP, Telnet, and SNMP. And even where public key encryption is commonplace, like with SSL encrypted protocols, I still find myself faced with things like having to decide whether I should trust a self-signed certificate or not.
Then there’s e-mail. Not only is it unencrypted, but it is unauthenticated and also subject to tampering. Nevertheless, I finally stopped installing PGP on all my computers because no one ever sends me PGP-encrypted e-mails and no one is ever able to read the ones I send encrypted. And this is 2009.
Even though it’s 2009, so many are still fooled by those fake e-mails from their banks. And even though spam filters work pretty well at protecting us from seeing our spam, there are still thousands of spam messages that end up on my servers every day.
And when I send an e-mail, there’s no guarantee that only the recipient will receive my message. There’s no guarantee that other’s can’t read or even modify my message.
Ten years ago we knew exactly what it would take to fix our security problems. We got the firewalls down pretty good. Code is generally more secure now. And most of us are good at keeping our systems up-to-date with patches.
But we still don’t have widely-adopted solutions for authentication, encryption, and data integrity. We still have weak passwords and our mother’s still have the same maiden names. And most people are simply too underequipped or undermotivated to combat the skills of the malware developers.
That means that despite all our advances in security technology, the best ways to hack someone are the same as they have always been—through a malicious e-mail attachment, or some infected download, or simply guessing someone’s password.
This is a serious problem, a problem that will take a decade to fix.