Myth # 2: The Internet is full of nice people
When Windows for Workgroups 3.11 shipped I don’t think anyone believed that over the coming 10 years the number of computers in use would increase more than 10 fold and that almost all of them would, at one time or another, connect to the internet. Back in 1992, everyone on the internet was nice, because if you stood next to someone in the office, then between you would have enough fingers and toes to count everyone that could use their computer to connect to another computer outside of their own company!
The only network that could be used to successfully spread a virus back then was ‘sneaker-net’ and actually physically sharing media, the scourge of the 5 ¼ inch floppy. A few companies tackled this problem by purchasing floppy-disk locks to stop their staff from bringing in games from home which might be accompanied by an unwelcome selection of bits and bytes.
As the internet grew and the .com bubble began to swell, the need for every company to be seen and accessible, at least in online brochure form caused huge pressures to be placed on IT departments. Online strategies became an essential part of company reports and business proposals. The continued business pressure and the demands of home computer users armed with hours of free internet access and free modems, to see more and more images of their favourite products, lead to the realisation that business could actually be done on the internet.
“If you build it, they will come” became the mantra of the mid-nineties. High Street retailers now wanting to sell their products online and capitalise on this new market built e-commerce web sites with a philosophy of ‘we can stand a bit of fraud in our shops, so we can cope with a bit of fraud online too, after all, most people that come to our shops are nice and just come to buy’.
And sure enough, the site was built and the consumers came and purchased and occasionally a stolen credit card was used, but most of the transactions were ‘nice’.
But then one day, Mr Businessman woke up to a news headline “Credit card details published on Web after hack attack” which made him wonder… Perhaps not everyone on the internet is nice. It’s not possible to smile at someone as you hand them their change and wonder if you trust them or not. It’s not possible to video a bank robber coming into an online bank. Attacks from Cyberspace are different….
So, a question for you: How do you install a virus on someone’s computer?
Answer: You send it as an attachment to an email with the subject of ‘ILOVEYOU’
Now, I bet you smiled to yourself when you read that. Steve Riley tells it better than me, but I hope you get the point: a nice person sent you a nice email and before they realised it, thousands of people were infected because they wanted to fulfil that basic human need – to feel loved.
How could something so innocent become so malicious? You recognised the name of the sender as a trustworthy friend. Now that they’ve emailed you a virus, is that trust irrevocably broken? Or will you forgive them because they just did something a bit silly and they had no idea it was a silly thing until it was too late? Double clicking an email attachment was/is an everyday occurrence after all and they had a previously untarnished record of virus free emailing. But it is not the sender you don’t want to trust, but the ethereal virus author. Trust is a strange thing when you begin to look at it and there is an entire spectrum of trust that is, today, quite poorly defined, but more of that in another posting. Here’s a little tale for you:
“Got any old watches or clocks to sell?” asked the man standing in front of me on my doorstep. “Err, no”, I replied a little taken aback by the question. I cast a curious eye up and down the reasonably well presented gentleman in his early fifties and noticed a printed leaflet in his hands identical to the one I had pulled from my letterbox that very morning and discarded without really reading it. The leaflet read ‘Buy-gone Antiques, Instant Cash Paid for Watches and Clocks, Victorian Paintings and Old War Medals (any condition)’.
I turned, “Who was that” my girlfriend inquired as I closed the door and saw the man walk briskly towards my neighbour’s. I put on a gruff London accent, “No old watches or clocks to sell? …. then you must have some new ones you’re keeping hidden…” and we both laughed before returning to our laptops. After a few moments my girlfriend looked up and asked “Do you think he was a burglar?”.
“No, just an enterprising small business man”, but she had made me think. Why didn’t I think that he was trying to rip me off? Was he looking to see if people were out before breaking in, under the disguise of an antiques dealer? Did he hope that I was an old lady to prey upon and give me a pittance for my departed husbands valuable war memorabilia?... Well, I trusted him enough not to break into the house, because he’d left a leaflet with his phone number and address on it. But he could have printed them himself and made up the number and address. You have to wonder just how far someone might go, and given the evidence to hand and the effort required and the risk of exposing himself, I could reasonably trust that he was not surveying the area for robbery potential. I would not, however, trust that man with much else.
We are naturally all quite trusting individuals – its in our nature to believe in people, but on the internet, it is harder to identify people and verify who they are and what their intentions are, so some good approaches are available to minimise the amount of exposure and it is well worth thinking about this as you build any computer system.
Secure by Design, Secure by Default and Secure in Deployment. Of course, these principles translate to quite a few practical activities, so I’ve listed three of my favourites below:
1) Build a Threat model – no excuses, JFDI – Just Do It!
2) Run your code with least privilege. This doesn’t only mean the account that is executing the code only has the permissions necessary to carry out its task, but also in the age of .NET, application code itself can be restricted in the permissions it is granted. Currently this is a bit tricky to determine what permissions are actually required by a .NET application, but the permcalc application in Whidbey (sorry, Visual Studio .NET 2005) makes this a whole lot easier! Things get even better in Longhorn.
3) Never trust any input.
Resist the natural urge to trust the people that are using your application, be they within your organisation or on the internet, make security a part of your whole software development lifecycle and, in the words of Andy Grove “only the paranoid survive”.
I think Myth #3 will get a bit more technical as it will be title “Cryptography is just too hard”
Mike