Thursday, January 4, 2007

So long Superman... Vista will save the world

I've read a lot of articles recently like this one, often quoting (mis-representing?) some very respectable sources such as SANS and Postini. They imply that Vista will somehow magically fix all the security woes that MS has been undergoing and that the internet will be a magically safer place. I'm sorry people, but that's just a pipedream!

Is Vista more secure than previous OSes - for sure. Will it "change the threat landscape" - hell no!

Look, I'm not going to quote any real statistics - mainly because I can't be bothered to look them up, but there are still Win95, Win98, WinME, NT4, Win2000, Win2003, old Linux & Unix boxes that have never been maintained (or not adequately from a security perspective) - and let's not forget that this month is the Month of Apple Bugs.

Let's say, just for arguments sake, that everyone who could afford the whopping $239USD pricetag on Vista, ran out to buy it and installed it on their probably-not-fast-enough-to-really-run-Vista machine. Let's further assume, as is probably reasonable, that a whole bunch of people will also install a pirated copy of this same OS. This would mean that we'd get what...maybe 40-50 percent of the Windows workstations out there converted to Vista? And that, my friends, is in a perfect world where everyone who could do so ran out and got a copy.

This scenario would have some (short term, I think) impact on the number of available machines to infect/take-over, but that doesn't make the Internet a safer place. If you take the analogy of the Internet being like New York city, where there are a lot of wonderful places to visit, and a lot of dark corner where bad people lurk, then this would be akin to installing flood-lights in 40-50% of the New York city alleyways. Does it make New York safer? No. In fact, it means some areas are worse off than they ever were because it forces the bad-guys to congregate (and there's strength in numbers). Same holds true for the Internet.

For the Internet, this probably translates into meaning that primarily 1st-world countries, who can afford the software and/or hardware upgrade, will be "safer"; while poorer countries will be the congregation points for Internet bad-guys.

But it can still be argued that this pushes all of our problems to areas that we can more heavily monitor. In theory, this is true.

Are there any plans to do this monitoring? No. Does "monitoring" this activity make us any safer? No. Can we stop people in these places from sending data to us? Not in our new global economy.

And don't think for a second that Vista is without holes. When XP came out, it took a few months for the first 0Day exploit to hit - and the same will be true for Vista. In fact, we'll never truely know when the first 0Day for Vista comes out because the bad guys are a lot more about stealth these days than ever. So, while we're carefully watching these "dark areas" of the Internet, the domestic security space will slowly revert back to the same state it's in today.

I'm not slagging MS here, you'll note I mentioned several other OSes above - but MS is simply the most prevalent and, as a result of prevalence, the most frequently targetted.

My suggestion to those reading this blog: don't upgrade you personal PC to Vista because of security. If you like some of the features (like multimedia) that Vista offers, go for it. Otherwise, stay with XP (or find someone who has purchased Vista and get their XP license from them). It will probably run faster on your machine anyway.

Whichever one you do, here are 6 easy things to make sure you're not easy-pickings for the bad guys:
1. Make sure to patch aggressively - enable automatic updates for all software (and operating systems) that have the option.
2. Make sure you have a good AV that hasn't expired and update it at least weekly (I update dialy).
3. Enable a personal firewall (hardware-based routers are good too) and disallow all inbound traffic unless you really know what you're doing.
4. Install buffer-overflow protection software (eEye has a free personal edition of Blink)
5. If you're going to spend money, spend it on a good anti-spyware software - some of them even have buffer overflow protection software, and personal firewall built in.
6. Make sure to auto-update (or subscribe to mailing lists) for all the above (yes, I know this was point #1, but it's worth re-iterating).

If you have the know-how, also make sure to subscribe to vendor patch notices for all internet-enabled software (and browser tie-ins) including multimedia software (QuickTime, iTunes, DivX, WinAmp, etc..), Adobe Acrobat, your mail reader, browser, Peer2Peer software, etc. Again, auto-update is your friend if it's built-in.

This won't make you indestructible, but it's "secure enough" for most people and makes you a harder target. Bad guys usually go after the low-handing fruit.


1 comment:

/\/\ @ T T said...

Cheers Gord.
well written