Saturday, December 7, 2013

Why anti-virus software doesn't make you safer (and may even make things worse)

Even before I stopped using Windows on a regular basis I'd stopped running antivirus software. I'd still run a scan now and then, but not all the accompanying processes that weave their way into every part of your system and siphon away huge amounts of memory and processing power.

Maybe you think I'm crazy, or at least careless. But the fact is, as a software engineer, I realize how easy it would be to write malicious software that can't be detected by an Internet security suite. It would be difficult for even an experienced programmer to find the malicious element in well-crafted code. Software algorithms can be incredibly complex and, contrary to popular belief, computers aren't smarter than humans. In fact, they're incredibly stupid, and they only do exactly what you tell them to do. All antivirus software can do is scan for known threats. It can't detect anything but the most basic attempt at malicious code.

Admittedly, there is some utility in software that watches for attempts by programs to access certain things on your system, or to upload data to the Internet. But everything comes at a cost, and keeping these processes always running in the background slows your computer down and drains battery life. The fact is that most operating systems come with built in security mechanisms, such as mandatory access controls, that are much more effective and don't require running an additional process.Even Windows is quite secure for a well informed user, without additional security software.

On that last point, the real problem is that users aren't sufficiently aware of what kinds of threats are out there, and how to guard against them. As the saying goes, "There is no patch for human ignorance." And therein lies the bane of every IS professional's existence. People think that they can install an Internet security suite, and it will save them, in spite of their ignorance.

Nowadays, operating systems have a lot of these safe guards already built in to them, and much of what third party programs do is redundant. And yet, with all these redundant protections, successful exploitations abound. This is because you can't write software that can sufficiently compensate for the carelessness of users, without making their systems virtually unusable.

The idea that Linux is more secure because fewer people use it is a myth. Besides its technical superiority, a major reason it's harder to exploit is because its users tend to be better informed. Even with strict file permissions, selinux enforcing, and a well configured firewall, I could easily write a script to steal vital information from a Linux system, if the user is foolish enough to download and run it without knowing what's in it.

Don't think you're safe, simply because you use Mac or Linux!

Here's a list of simple things you can do to protect yourself from most Internet attacks, without installing additional software.

1. Don't run as the administrative user. This mostly applies to Windows users, where I believe this is still the default. If you're running as an administrative user, any process you run can basically do whatever it wants to you computer, and access all your personal information. Microsoft has implemented a labyrinth of complicated access controls to try and compensate for this, which could be more easily solved by running as a less privileged user.

2. Don't download and run things from the Internet that you're not sure you can trust. Even if you run them without admin privileges, this only protects your system. It doesn't protect your personal files.

3. Be very careful about clicking on links or opening attachments in emails. Or even responding to them. This is a whole topic by itself, and probably the biggest source of successful exploitations. Spend some time getting informed on the tricks attackers use. Even if you recognize the sender's email address, that doesn't prove who it's from.

4. Use good passwords for online accounts. What is a good password? Well first of all, your name is not a good password! It amazes me how many people think it's crazy not to use anti-virus software, and yet use passwords that are ridiculously easy to hack. Email accounts are a major target, and attackers use automated programs that rummage about the web trying passwords until one works. All while they kick back playing computer games and eating popcorn.

Most people think there's nothing all that valuable in their emails anyways. However, you'd be surprised how much information you can get from emails. Personal information is one of an attackers most useful tools. And because most of the people you know probably use passwords as obvious as yours, your emails give them the names and probable passwords of your family and friends. Once inside your account, they can send emails to everyone in your contact list, in an attempt to get more information. Or they could contain malicious attachments.

The biggest reason people don't use good passwords is because they're difficult to remember. I don't even try to remember most of my passwords. There's no need to. You can store them in a password program, like Keepass, which will auto-generate a complex password for you. Most browsers have the ability to store your password in an encrypted form, and sync them between your computers and smart phone.

5. Lock down your smart phone. This is also a whole topic by itself, so I won't go into detail. This is the computer that people tend to be the least careful with, and yet probably poses the greatest vulnerability; and it's the most likely to be lost or stolen. Most people don't even use a password or pin code to lock their phone, and yet always use one on their desktop. Besides following the tips already mentioned, you should also encrypt your phone's storage.

6. And that leads to the next point: Use encryption. This is one of the least used security measures, and yet one of the most important. At the very least, encrypt all your mobile computers, e.g. phones, tablets, laptops. Passwords do nothing once you have the physical system in your possession. You can read straight from the hard drive without even booting the operating system.

7. Be careful about what information you post on social networking sites.  The more an attacker knows about you, the easier it is to steal your information, and even your identity. Not to mention threats from other kinds of predators.

And remember, "there is no patch for human ignorance." Stay informed about the latest tactics attackers are using. Maybe subscribe to an internet security newletter. And read those emails you get from your company's IT department.