Joe Average User Is In Trouble

Opinion One of the many hats I wear here in St. Louis is that of college instructor, writes SecurityFocus columnist Scott Granneman. I teach courses in technology at Washington University, recently ranked the ninth best overall college in the nation by U.S. News & World Report, and at St. Louis Community College at Florissant Valley, one of the better community colleges in the area. I teach smart people at both locations. One is composed of folks who can pay the high prices for an education at a nationally-ranked university, and the other has people who work during the day and want to improve their skills at a good public school while keeping their costs low.

In other words, I see a pretty good cross-section of the computer users in our area.

Oh sure, some of my students are what we'd call "computer people," who work professionally programming or administering various systems or developing Web sites. But those are few and far between. Most of my students are office workers, or writers, or homemakers. Almost all of them run Windows at home and at work, usually ME or XP. They all know how to "use" their computers, which means that they can write papers, read email, use the Web, and even install software (as long as it's not packaged as a ZIP file: most of them have no idea what a ZIP file is or how to use it). In other words, your typical American computer user.

I'm here to tell the security pros reading this that we are in deeeeeep trouble when it comes to securing the computers of these people.

Security is just not a concept that "normal" folks focus on. It's not even on the radar screen. It's just not thought about at all.

The problem

"Do you update your anti-virus software regularly?" I'll ask them. Most look at me as though I'd just asked them if they refloozle their hossenblobbets with tinklewickets. A few will tentatively volunteer a timid, "I ... think so?" Some are willing to admit that they don't even have anti-virus software. At least they're sure.

"Do you run Windows Update regularly?" I'll ask next. Hmmm ... those hossenblobbets really do need refloozling. Some state that yes, they do run Windows Update, but they have no idea what it is doing to their computer, so they just agree to everything and assume it's all good. Most say they've never done it once, if they even know what it is.

"Do you have DSL or a cable modem at home?" is my next question. Ah, finally! A question they can all answer. They know the answer to this one! About half usually have some sort of broadband connection, and they are enthusiastic in their answers: "Yes, I do! You betcha! Love it!"

"Great!" I continue. "Do you have personal firewall software running on your computer? Do you have a router/firewall so your Windows machine isn't directly connected to the Internet? Did you remember to turn off file and printer sharing if your Windows machine is directly connected to the Internet?" A pause ... and we're right back to hossenblobbets and tinklewickets.

It's enough to make someone who cares about security throw up his hands in frustration and just give up.

Especially when we look at the unending stream of patches that has been flooding from Redmond, Washington over the past couple of days ... uh, weeks ... uh, months ... oh, the heck with it: years. Just last week Microsoft announced a mega-patch for five security vulnerabilities deemed "critical". Windows Server 2003, which Microsoft promised would be its most secure OS yet, has already had nine security bulletins issued for it. Windows XP, the flagship desktop OS for home and business users, has released patch after patch after patch, as a search at the SecurityFocus Vulnerability Database will disclose. To top things off, some of Microsoft's patches are themselves buggy, requiring further patches and updates to fix these patches.

It is a huge - and growing - problem for IT professionals at businesses to keep up with all the patches Microsoft issues. How, then, are non-professionals supposed to deal with the problem? More importantly, how are security pros supposed to deal with the bigger problem: that non-pros don't deal with the problem?

Solutions?

We can't just ignore the problems with insecurity that our non-IT friends, family, co-workers and acquaintances have with their computers. If their machines are compromised, we feel the effects, whether we realize it or not.

We feel the effects when we end up spending several hours each week doing pro bono IT work at the homes of the people we know (I've tried sending my Mom a bill, but she never pays, the deadbeat).

We feel the effects when the Internet slows to a crawl due to a sudden explosion of traffic caused by a particularly-virulent virus or worm.

We feel the effects when we get even more spam, sent from compromised zombies to everyone else on the Net, or when those zombies are used in DDOS attacks on anti-spam Web sites.

We feel the effects when zombies owned by our unknowing friends and family are used to secretly host scams, or porn sites ... or worse.

In my angrier moods, I sometimes think that we should require licenses to operate computers, just like we require licenses to drive automobilies. I know that such a plan would never work in the real world, but it's a pleasant fantasy all the same.

So what can be done? First of all, Microsoft desperately needs to improve the underlying security of their products. As I talked about in my last column, there are fundamental problems with the way that Microsoft designs its systems. Email programs that contain embedded Web browsers that are themselves embedded into the operating system are disasters waiting to happen. Microsoft makes it too easy for people to do stupid things with its software, and it needs to remedy that.

Further than that, Microsoft needs to improve the way that its operating systems are updated and patched. A recent decision to consolidate patches into a monthly release is not, however, the way to go. Sure, on the one hand it makes things easier for the security pro who now only has to download and apply a mega-patch once a month. But, on the other hand, do you really feel like waiting three weeks until the next mega-patch comes out, hoping and trusting that you don't get bit in the meantime? And do you think your grandmother is going to remember to install that monthly patch? I can just see it now: "Hi, Grandma. Yeah, I'm doing fine, and so's the dog. Sure, cookies would be great! Hey, did you remember to install your Microsoft mega-patch yesterday?"

To counter the immense problem of the millions of people who never install personal firewall software, Microsoft bundled an extremely simplistic "Internet Connection Firewall", or ICF, with Windows XP. Unfortunately, ICF is turned off by default, and it's hard for users to find if they do want to enable it. Even worse, ICF only blocks incoming traffic, so Trojans that try to phone home are in the clear. Evidently Microsoft is going to improve ICF in future versions of Windows, including future shipping copies of XP (which is good, considering that the next major version of Windows, code-named Longhorn, isn't going to see the light of day until 2005 at the earliest). It's going to be enabled by default, which is a good start, but there's no word about blocking outbound traffic at this point.

To counter the immense problem of the millions of people who never install or update anti-virus software, Microsoft recently purchased GeCAD, a small Romanian anti-virus software company. Microsoft hasn't made it clear how deeply it intends to get into the anti-virus business, and analysts are divided, with some sure that Microsoft will eventually challenge Symantec and McAfee and the other large AV vendors, and others arguing that Microsoft just intends to get a better handle on improving the security of the Windows platform. I suspect that Microsoft hasn't yet decided what it wants to do on this front. Forcing AV software onto end users is a good thing, but I would really hate to see Microsoft destroy another software market by bundling new capabilities into the OS (the same concern applies to personal firewalls in the previous paragraph).

To counter the immense problem of the millions of people who still do carelesss things with their email, like open attachments they weren't expecting, Microsoft is making changes to the way its corporate email program Outlook behaves (including, however, the addition of odious DRM (digital rights management) features that will cause more problems than they solve). These are good changes, but let's see what happens once Outlook has been in the real world for a few months. I hope that the days of constant security issues with Outlook are over, but I'm taking a skeptical wait and see attitude, an attitude that seems entirely justified, based on one bizarre "feature" that the brand new program displays. Oh, by the way: if you or someone else you know uses the the free Outlook Express, you're out of luck. Microsoft has no plans to improve it any further. If you know someone using Outlook Express, get them onto something else ASAP, like Mozilla Thunderbird.

To counter the immense problem of the millions of people who never run Windows Update (or Office Update, for that matter), Microsoft will probably install patches and updates automatically, by default. This makes me nervous, to say the least, since Microsoft has a history of releasing patches that don't work, or cause new problems, or require updates for the patches themselves. And personally, I don't like anything automatically installed on my machines. I want to be in control. But for the great mass of computer users out there, I think it's a solution that is unfortunately necessary. If people won't do it themselves, then it needs to be done for them. Let's just hope it works smoothly.

An unrequested but necessary responsibility

Microsoft can do a lot, but its still the folks in the trenches who are left with the hard work and the dirty jobs. Yeah, I'm talking to you, the security professional reading this column. You and I have a lot left to do. We bear some of the blame for this mess by both mistaken actions and inactions but, more importantly, and more unfortunately, we bear most of the burden. Even if we don't want to, we're going to have to work with the people around us to help improve this pretty awful situation.

I know a lot of you are already performing what feel like the labors of Hercules. You're providing the free tech support that I mentioned above. You're spending hours downloading and installing patches, and cleaning up for folks when their computers become bewitched, bothered, and bewildered. You're the one driving out to CompUSA to buy a router/firewall when your parents get that new DSL connection. And you're the one patiently explaining yet again to yet another person why they need to install anti-virus software.

But we can do more. No, we must do more.

Because like or not, Windows ain't going away for a while. Probably not ever, totally (calm down, Linux and Mac OS X users - I'm on your side, but let's be realistic here).

We've got to do more, because who else is going to do it? Microsoft claims it's working as hard as it can to improve the security of its products, but the success of that claim is, to put it politely, debatable. Besides, as we all know security is one big chain that is only as strong as its weakest link, and the weakest link is always ... the people. Microsoft can work and struggle to give its software a secure foundation, the same strong foundation that much open source software already has, but as long as it makes it easy for smart people to do dumb things, we're always going to have a problem. So it's up to us, the people reading this column, the smart people who try to do smart things, to help the great mass of computer users.

And what's the greatest help we can offer them? It's simple, really: education.

We've got to educate our parents, our other family members, our boyfriends and girlfriends, our wives and husbands and partners, our in-laws, our friends and acquaintances, our co-workers, and even the people we just bump into for a few moments at parties. We need to be polite, non-threatening, non-judgmental, and above all, helpful. We can't be zealots. Our answer to every problem can't be "Run Linux!" or our other favorite operating system (unless the individual we're talking to is interested in such a solution, then by all means, go for it). We can, however, recommend (and install, and support ... *sigh*) software that will run on their operating systems and is built in a more secure fashion, however, like Mozilla or OpenOffice, if that software is appropriate. Most importantly, we need to speak in a language that Joe or Jane User can understand. No hossenblobbets and tinklewickets.

Going back to my classes at Washington University in St. Louis and St. Louis Community College, I always spend time with my students educating them about various issues in security. I try to impress upon them the importance of anti-virus software, and Windows Update, and firewalls, both hardware- and software-based. If they have a broadband connection, I take some time to talk about the advantages it brings, but also about the dangers, and how they can protect themselves against those dangers. And you know what? My students are genuinely interested in what I can tell them, and most of them think about what I've said and actually act on it.

I can't teach my students everything, but I try to teach them something. Every security professional needs to do the same. We're at the forefront, like it or not, and it's up to us to help lessen the myriad of problems we see around us. Like it or not, we need to become educators - permanent educators - or we may find ourselves refloozling those hossenblobbets with tinklewickets one too many times.

Copyright © SecurityFocus

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.