Thursday, May 06, 2010

Ceding the desktop security battle, almost the war

Fresh from the FS-ISAC conference in lovely St. Pete Florida, one predominate theme was that Financial Institutions must assume the client, their customers rather, are compromised (infected with malware) and they must continue doing business anyway. Given the threat landscape this a reasonable operating parameter. The prevalence of man-in-the-browser attacks force FIs to make very tough business decisions. If a client PC infection is detected, do they continue to allow transactions with the customer while trying to detect and minimize fraudulent transactions? Further, are the FIs obligated legally or ethically to inform the customer of the infection? Or, do they suspend all transactions and incur support costs to help the customer fix their PCI before allowing money to move?

These are very challenging questions with no singular correct answer, but what really concerns me is the premise itself. If we operate with this assumption, that the client is compromised (again not unreasonable), then the good guys have ceded victory in the desktop security battle. With over 1 billion people on the Internet, that is no small loss. What’s worse is there are signs that the loss of the home network could be permanent.

Botnets are starting to target and infect routers and DSL modems. Scary, and a possible trend. Think about what this could mean. Should this become problem become pervasive, it won’t matter if PCs are disinfected, swapped out, or replaced with iPads, the bad guys are still control because they own the network below. They’ll own DNS, the routers in between, and so on. There is effectively little defensive countermeasures to protect home routers and DSL modems, which are not exactly secure to begin with, or detect if they’ve been compromised.

I know this is a little FUD, but not exactly implausible.

15 comments:

@selenakyle said...

Jeremiah -- I don't think this can be classified as FUD because it's true. Or at least it's a plausible assumption, and a good one to work with if you're designing security controls. I talked about this a little bit in one of my recent blog posts about identity/authentication.

What I'm not sure about, though, is whether the battle for the desktop is over. I think the issue is how far an online service provider will extend their own influence/boundaries in order to keep their customers' client machines secure. Do we want ISPs, social networks, or banks to dictate the standard to which our client security is held? Open question, not rhetorical...

Jeremiah Grossman said...

If ISP are to be responsible, that means we'd have to be willing to give a large amount of privacy in exchange. Not everyone is going to be willing, but what choice is there.

brianlaflamme said...

Seems like this is part of a push towards authenticating the transaction instead of the session.

Gunter Ollmann said...

I'm glad that the FS-ISAC etc. are finally coming to realize the state of things. I've been harping on about this for several years now - particularly the aspect of businesses dictating what their own customers should do/use to protect themselves.

Back in 2008 I wrote a paper covering some of the things of how businesses can continue to operate and provide services to their customers - even if they can't trust their customers computers. The paper is called "Continuing Business with Malware Infected Customers" and its more valid today than it ever was.

Anonymous said...

We could all do our banking from Live CD setup to do a VPN into the bank with basically a client that runs from the live CD. No virus/trojans because, booted from a CD the system is immutable. Each customer could have a "customized" cd that becomes a "thing you have" authentication, along with a password "thing you know"

=matthew.stevens said...

I would recommend shipping the customers a liveCD once a system has been compromised. Limit the LiveCD to interacting with the approved site and hard code everything onto that CD

Anonymous said...

Assuming the worst case scenario is not the same as accepting defeat. Rather, it is a necessary assumption of any successful strategy.

This applies not only to viral infections, but literally to any mathematical estimation problem. An algorithm that is not robust to the worst case scenario is not robust in any sense of the word.

Danny Fullerton said...

Anonymous and matthew.stevens: This still does not work. Low level rookit (where hackers and organized crime are going) would still be able to compromise your live CD. Only trusted computing can help here (TPM, DRTM).

Please read about trusted computing and see ITL research (http://theinvisiblethings.blogspot.com/).

We have to drastically change the way we do computing. Today's operating system are simply broken by design.

Shawn Sparks said...

A LiveCD only valid for a specific site is not an option. I use a couple different financial institution sites which means I would need two CD's with me anytime I want to do financial work. It also means I have to reboot my machine each time. Of course, if you want to extend protection to credit card transactions, I now need a LiveCD mailed to me everytime I want to buy something from a new site: eBay, Amazon, Newegg, etc. You could create some sort of standardized LiveCD approved by multiple sites, but the more power you give to it, the closer it gets to a normal machine today. Not to mention there is always the option of infecting the memory each time it boots. An infected router or network could really cause problems there since updates would not come often if they have to mail you a new cd each time.

Ultimately, you cannot help someone who does not help themselves. If a person walks around with their bank URL and login credentials on their t-shirt, there is not much you can do to make their account secure.

Anonymous said...

When we are talking about improving security for the masses, high assurance web site owners need to do something about the other end of the connection... they CANNOT rely on the socially engineers, non-technically savvy and non risk aware end users they typically serve.

Regardless of the myriad of technology we may attempt to apply to the problem, the first step is for the web site owners to step up and take ownership or consider turning off their service (hint: banks save|make too much $$ from online FI to stop). Heck, they turned on HTTPS so they made a value judgment on protecting the data in transit. They just need to extend it one more step... to the desktop, as it is their brand, their cost efficiencies, etc that compels their web sites to be available in the first place.

Anonymous said...

A Live CD has to be loaded into memory in order to run, if the system is loaded into memory it is not immutable.

Anonymous said...

...AND THIS IS YOUR FAULT.

When hardware, operating systems and security tools are purposedly designed to deceive users (translate: collect their data), you can bet that all those holes will be used.

Let's stop this hypocrisy. It's time to admit that this culture of treachery has hidden costs.

Chris Snyder said...

"If a person walks around with their bank URL and login credentials on their t-shirt, there is not much you can do to make their account secure."

ARGH, that's exactly it. Your router knows your bank url, and can inject a keylogger into any executable or firmware update you download. T-shirt or not, there is not much you can do to make your account secure if your local network and/or desktop is compromised.

LiveCDs aren't the way. Banks need to limit the kinds of transactions that can happen online, and we need to stop pretending that users have secure systems.

You can do a lot with an insecure system, like email, for instance. But there is a whole class of functionality that you would just never build on email because you know it is transmitted over public networks and stored in discoverable archives.

Banking, medical records, legal advice, intimate conversation: none of these things should really be done over the internet; or they should be strictly limited to reversible, discoverable actions.

kingthorin said...

@Jerimiah
"do they suspend all transactions and incur support costs to help the customer fix their PCI before allowing money to move?"

PCI vS PC....freudian slip?

Jeremiah Grossman said...

@kingthorin LOL. Good catch! No comment. :)