Jesper M. Johansson
In the last couple of issues of TechNet Magazine, I discussed how security professionals and the IT industry at large confuse consumers and actually hinder effective security efforts. In the first two installments of this series, I focused on such issues as solutions that provide misleading information to consumers, overload the
logon workflow, and teach bad behaviors. So far, I have shown you many different examples of how the industry, in its zeal to appear concerned about consumer security, has actually made the situation far worse than it needs to be. In this third and final installment, I will show how some of the most important technologies available to consumers are not living up to the expectations those consumers should have for those solutions. This all leads up to my call to arms.
Overloading Updating Technologies
One of the primary tenets—an indisputable requirement, in fact—of staying safe electronically is to keep all your software up to date. Nearly every major software provider now has some form of semi-automatic mechanism for keeping at least some of its software up to date. However, it's not quite that simple.
First, the more software you have, the more software you have to update. And the more vendors you get software from, the more update mechanisms you have to work with. This is a confusion factor.
For example, if you just leave the defaults in place, Internet Explorer® will update itself. But Internet Explorer is really just a container for other technologies. The potential impact of that was demonstrated at the CanSecWest conference in 2008, when Shane Macaulay used a combination of vulnerabilities in Java and Adobe Flash to hack a Mac. (Details were a bit scarce when writing this column, as the flaw had still not been disclosed.) My point, though, is that neither of these technologies is a built-in component, and yet they are both available on most computers because they are so widely used on the Internet. Both are a bit of a challenge to keep updated—each has an automatic update mechanism yet neither mechanism fires very often.
In addition, most end users simply don't realize those technologies are there and need to be updated. In many cases, these technologies were provided in the OEM image on the computer, which, to the consumer, is indistinguishable from the operating system. As far as the end user is concerned, when Windows® Update says there are no updates, there are no updates.
The second problem is that the update mechanisms are often more complicated than necessary. Any update mechanism that does not have a completely automatic mode is unlikely to receive wide use because users are generally unaware that they need to run the update tool. Further, in most cases, the user must be an administrator to install the updates. And in a worst case scenario, the user must be an administrator just to be notified of an update being available.
Finally, it is becoming increasingly common for vendors to use software-updating technologies to deploy completely unrelated software that the user did not have installed—toolbars and so on. The software updating technologies have transitioned from being intended very specifically to deploy updates for software to being used as a way to distribute additional software.
Two very visible cases of this are the Microsoft® Windows Update service (shown in Figure 1) and Apple Software Update (shown in Figure 2). Both Apple and Microsoft have chosen to use their update mechanisms to not only update software but to deploy new software that the user did not originally install.
Figure 1 Using Windows Update to deploy Silverlight (Click the image for a larger view)
Figure 2 Using Apple Software Update to distribute Safari (Click the image for a larger view)
In Apple's case, you are offered both iTunes and Safari even if you only have QuickTime installed. Interestingly, they are also all selected by default.
In the case of Windows Update, the most recent new software deployed using the update service is Silverlight™. Microsoft has used this technique in the past to distribute new software. To its credit, at least Microsoft did not check the box to install the new software by default.
This approach, to distribute new software via an update mechanism, causes two problems for users. First, many will end up with more software on their computer than they started with. As you know, all software of any substance has bugs, and some of those bugs may result in potential security vulnerabilities. And some of those vulnerabilities will eventually be used in some form of attack. As a result, some number of users will be attacked through software they do not need or even use, which was deployed to their computer via a software update mechanism.
Another effect is that users may get the wrong idea about the value of software update mechanisms. If users find that software update mechanisms are being used to deploy new software, as opposed to new updates, they may see the update mechanisms as a hassle and stop using them. Just imagine how a user must feel after being attacked through a vulnerability that comes from a program that he never uses but received through a software update mechanism.
There are few things more dangerous to the health and safety of the technology ecosystem than users losing trust in the technologies that should keep them secure. Once users lose that trust, those technologies will start to be rejected and eventually fall out of use. If technologies that are critical to protection, as update technologies are, fall from favor, the entire technology ecosystem will be at risk. Protecting this ecosystem is why Microsoft distributes security updates even to computers that are known to be running pirated software.
In comparison, I truly respect the clean and purpose-built Mozilla Firefox update interface, shown in Figure 3. I certainly hope that Mozilla continues to avoid the temptation to distribute additional software via its Software Update tool.
Figure 3 The Software Update interface for Firefox is one of the cleanest in the business (Click the image for a larger view)
Inconsistent Messages about Security
It would be nice if the industry would actually settle on a common message to consumers. While competition in the industry is essential, consumers need to learn what security should mean to them. Unfortunately, they cannot do that if the industry keeps sending conflicting messages. Frankly, I would settle for companies being consistent across their own messaging.
While the industry will probably never settle on such a common message, there does at least need to be consistency and honesty in messaging. Given the critical importance in making sure customers continue to trust security technologies, the industry as a whole needs to do better.
Similarly, we also need to question what provides actual value today. For instance, I don't believe antivirus software is nearly as effective or even critical today as the industry may have you believe. Consider the computer that my seven-year-old son uses and the computer in my kitchen. Both have antivirus software installed and in the three years since they were installed, neither has ever alarmed for anything. Now, I'm not saying that we should abandon antivirus software—at this point, it is a core component of the technology ecosystem. Clearly, if we were suddenly to remove all antivirus software, the attackers would quickly take advantage of that and we would start seeing more infections.
The point here is that the industry needs to think about what features users really need in their security products, how effective these features are, and how companies can communicate these needs and values to consumers. As it stands, users today receive far too many conflicting, exaggerated, and often untrue messages about security.
It's All about the Checkboxes
As an example, the security software industry is all about suites. Today, security software is almost exclusively distributed as bundles of seemingly unrelated features. And there is practically no information on which of those features users actually need.
This seems to result in a race to fill more checkboxes. While checklists provide a good way to compare products, they can also give rise to features that are not necessary or even desirable, or that even make sense. Figures 4 through 7 show four different lists of check marks from four different security software vendors. Is it safe to assume that the product with 17 check marks is superior to the one with only 10 check marks?
I actually find these figures quite amusing. In Figure 4, the product received a check mark for being a new version. And the product in Figure 5 gets a check mark because it, according to the company's claim, "stops attacks from nefarious Web sites." The product in Figure 6 gets extra points because it "protects children online." Obviously nobody would want a product that fails to protect children. The winner, however, gets the creativity award for including such features as registry clean-up and hard-disk defragmentation in a security suite. The former is rarely if ever needed and the latter is already built into the OS. In fact, the Windows OS already includes solutions for 15 of the 17 check marks shown in Figure 7.
Figure 4 This top-of-the-line product has only 10 check marks (Click the image for a larger view)
Figure 5 This product with 11 check marks must be better (Click the image for a larger view)
Figure 6 Hold on, this one has 12 check marks (Click the image for a larger view)
Figure 7 But this product with 17 check marks must be the best solution, right? (Click the image for a larger view)
There are some disturbing trends here. Not only are these products duplicating functionality that is already included in the operating system (while neglecting to mention that fact in the marketing literature), they are also making outright false claims. For example, no security software in the world can truly stop attacks from anywhere—they can only help prevent them. Nor can any product really hide your presence from attackers.
The problem is that the business of software security has largely been built on protecting users from vulnerabilities made possible by products created by other vendors. But those vendors are constantly getting better at protecting their own customers and, as a result, the security software industry is finding its business model threatened. The security software industry certainly does have a lot to offer, though, as new risks surface, but the vendors need to help customers manage risk, not simply guard against threats that are no longer really threats.
A Call to Arms
If there is one thing I would like readers to take away from this three-part series, it is that we as an industry need to level with our users and customers. We need to explain the risks and how users can address these risks. And we finally need to start equipping people to protect themselves.
My biggest concern about all these "solutions" is that there is a serious possibility that they will ultimately degrade security in the long term. If users, and even IT managers, actually believe that these products will solve real security risks, especially all the risks they misleadingly claim to solve, we may lose the opportunity to teach people how to truly protect themselves.
Take password authentication systems as an example. If users believe that the weak add-ons to password-based authentication systems I discussed in the first part of this series are actually protecting them, they may become even more lax and use even weaker passwords. In the worst cases I highlighted in this series, the technology actually forces the user to use weaker security than what would have been used if the new technology weren't implemented. This means that by the time the malicious users figure out how to defeat these systems, which often is not hard, we will be in an even worse state than we're in now. That could result in a significant trust problem, causing people to abandon solutions with real value.
We need to take action now to protect the technology ecosystem that sustains our businesses. Innovation must, of course, be encouraged, but we must also be very careful to avoid letting innovation for the sake of innovation get in the way of real risk analysis. Otherwise, we will have only security theater, and eventually security theater will come crashing down around us.
The same holds true for the other examples I've discussed. Take the meaningless security eye candy, for instance. It does absolutely no good to users, it lulls them into a false sense of security, and it lets online service providers get away with optimizations that actually cause indirect harm to users. Meanwhile, the net cost would be just a few thousand dollars, or perhaps tens of thousands in the most extreme cases, to provide proper information to users. Is it really too much to ask that vendors spend that little bit of money on efforts to protect their customers and their business?
This has many implications. First, we must address the perception that users are incapable of making decisions and must be prevented from doing so. Users are not incapable of being taught to make decisions. After all, these users have made many decisions, such as deciding to purchase a computer, or to use your site, or to purchase one of your products or services. Just as people need to learn to drive a car safely, they must also learn to use a computer safely. The attacks are targeting the users personally today, and technology cannot be relied upon to make the decisions. Rather, security technologies must be decision support systems, providing the right information at the right time in order to enable the user to make an intelligent decision.
Some of the worst user interfaces in the world have come from security solutions because the applications have been designed to either hide any kind of decision-making from the user or to dump all the available data (in an unfriendly manner) to the user. Neither approach works. The former puts users at risk because the technology cannot be depended on to make the right choice. And if the technology is perceived as hindering the user's business objectives, it will not be long until the technology is disabled. The latter approach, meanwhile, fails because people do not want to be bothered with IP addresses, process IDs, and other data that is meaningless to them. They just want to know what the computer is doing with their passwords and credit cards. This, after all, is what security is really about.
Jesper M. Johansson is a Software Architect working on security software and is a contributing editor to TechNet Magazine. He holds a Ph.D. in Management Information Systems, has more than 20 years experience in security, and is an MVP in Enterprise Security. His latest book is the Windows Server 2008 Security Resource Kit.