WeekEnd Feature:
Public enemy number one – the public.

by Ian Thompson, CCSP Staff Editor
May 1, 2004

What’s your worst nightmare? Is it global terrorism on your doorstep? Is it the threat of science gone mad, with genetic engineering and the prospect of meeting your own clone one day? Is it Batman? Is it being unwittingly co-opted into money laundering, spamming others or crippling DDOS attacks on governments and companies worldwide?

Welcome to the world of the unsafe PC user……

How safe is your car?
I read a lot of bits of interesting press each week. One writer I particularly look out for is Jack Schofield, columnist in the Guardian Online supplement. He’s capable of offering basic advice to all types of readers’ requests without the sort of jaded cynicism to which other similarly experienced hacks could resort, especially after offering the same advice time and again.

Another reason I like Jack is that, by one way or another, we both seem to have arrived at a very similar basket of security products. Great minds, as they say…

This week, Jack started his article with this:-
“If your car had four bald tyres and no brakes, you would not be allowed to take it on the road. But if your PC has no firewall and no anti-virus software, any number of people will be happy to provide you with a broadband Internet connection.”

So many people report that one nasty or another has hit their new pride’n’joy PC within minutes of connecting that this issue is getting serious. Clearly, our road traffic authorities have rules to help ensure a basic level of safety, and there now needs to be a move to similar requirements for our online activities. After all, the drivers of an unsafe vehicle are likely to have a detrimental effect on others as well as themselves when they go backwards through the scenery after they come to the first rainy corner that day…

Is it really life or death?
The situation with unprotected PCs is that it’s not a question of ‘if’ but ‘when’ the attack will come. Even relatively old worms can take advantage of unpatched systems, long after the rest of us have consigned those versions to the delete bin. So what are we looking for?

A sensible PC manufacturer will provide its customers with an up-to-date installation of the operating system (doesn’t matter which flavour, they all get improved during their life). This may required some effort on their part, because they will have the support issues to deal with if an update or patch proves problematic to one part or another of their chosen configuration. Things like recovery disk images would need to be kept current, as would any first-line support offered on web sites or hotlines.

However, we can basically assume that any manufacturer who still ships and out-of-box installation of Windows XP, for example, either hasn’t the resources or the respect for its customers that they deserve.

Media Center, anyone?
This shift in responsibility, from customer to manufacturer, must happen. There is no option, and if things keep going the way they are (with Jack’s unsafe vehicle analogy in mind), then pretty soon things are going to fall into the realms of legislation. And if that happens, expect costs to rocket because where there’s a law, there’s a need to check it’s being upheld – regulation, inspection, etc.

I recently had a look at a Media Center PC from Hi-Grade that took the idea of PC as consumer durable (rather than specialist market product) to it’s ultimate point – at least until ‘smart clothing’ arrives. The unit is very smart, in brushed silver, and looks like the older-style DVD player, perhaps the full-sized hifi separates unit that audiophiles would drool over. The only difference on the front compared to these older players is that the DVD drive is a slot-loader. The whole show looks very sleek, but is in fact a complete Windows Media Center PC. It doesn’t ship with any monitor as standard, using the home TV instead using a standard SCART AV connector, as found on regular home entertainment equipment like VCRs, DVD players and satellite decoders in these here parts.

It therefore removes the final barrier to the PC being thought of as a distinct device, to be treated with a bit more care than the family toaster, for example. Now it looks like part of the furniture, sitting near the TV with the rest of the push-button, anyone-can-use-it home entertainment stuff. Folk would just plug-and-go with this type of thing. But would they remember to keep it updated? Probably not, because it doesn’t look like it needs it – after all, when’s the last time you updated your DVD player firmware, or the digital TV decoder? If it’s ever at all, then it won’t be anywhere near as often as a regular PC… which is what it is, under all the flash and style. Just as vulnerable, just as crashable, and probably connected online via broadband the whole time it’s in use, not just when the user is surfing or emailing.

Do you have a valid licence?
Now, are we heading towards authorising users to connect PCs together? No, of course not – such a system would be unwieldy in the extreme and unworkable in practice. However, we need to have more than just a voluntary option to install protective systems. There needs to be a basic minimum required of any system that connects out to the rest of the world.

But it should not up to the end user to be aware of the need and then be up to finding the right resource. At risk of sounding anti-competitive and just a bit kiss-ass, Microsoft has the right approach with bundled applications, all under one update policy via Windows Update, with a Critical Update Notification watchdog looking out for the latest patches on behalf of the end-user. And from what I’ve seen of the RC2 version of XP sp2, the firewall seems up to the job.

What became of the anti-virus company they purchased last year? Surely that cannot have been just to shut down one of the more popular versions available to Linux server users? Okay, maybe it was, but the next logical step is a return to the old days when MS shipped a basic AV product with their OS – the only thing that killed that one at the time was a lack of updates. Now, with product activation, Windows Update and so on, MS can be a little bit more sure that the end user is valid, provide them with regular updates via the normal route and not have to charge for the privilege this time round!

Public Enemy?
So what’s with the headline? Well, the vast growth in PC numbers in the last five years has undoubtedly been in the home market. Business growth will have been brisk, but many companies will have upgraded some PCs as well as providing new ones. And most businesses will have many PCs behind one Internet connection, unlike home users where the average will be somewhere close to one per connection (at least until Media Center PCs take off and online gaming via Xbox increases). The bandwidth available to spammers, bot-commanders and IP spoofers everywhere is vastly increased.

Combine this with the unprotected nature of many of these systems (anyone got an AV on their Xbox?) and you have Nirvana for the nasties – “Fly, my lovelies! Fly!”. The bulk of the attacks against large organisations now comes from high-speed connections to home PCs, not from the companies themselves. Various legislative Acts have meant that companies have a duty to protect information and the like, and once a company starts to investigate the problem, it will pretty quickly arrive at an adequate (if not exactly exemplary) solution.

It’s the public that is it’s own worst nightmare.

/> The solution.
Always, the solution has been upheld with vigilance. You can fit a broadband router (and definitely should if you’ve more than one connected system), but make sure it’s kept up-to-date. You can install firewall software on each device if possible, along with anti-virus, spam filters and the like. You can even switch your ISP to one of the ‘big boys’ like Yahoo! or AOL (never dreamt I’d recommend them this side of senility) because they have the resources to do a lot of the control themselves. But you should never, ever just sit there and do nothing.

As Jack says, “You can either take these threats seriously or risk becoming a victim”.
cheers, Ian

by Ian Thompson ComputerCops Staff Editor

Ian Thompson is a Network Manager of a 500-PC, 9-server, 1700-user school network and is an ICT teacher at a UK high school near the city of Leeds. He has written articles for the Hutchinson Encyclopedia, plus many resources in support of teaching ICT in the UK schools' National Curriculum.

Copyright © Ian Thompson All Rights Reserved 2004.