Saturday, January 03, 2009

Computer security - a complicated problem

Technology is advancing really fast..but so are security threats. With the fast growing Internet and its exposure to even a common man, security threats have become much easier to perform and much more complicated to deal with.

With only ~900 million IPv4 addresses remaining for use in the Internet (out of roughly 4294 million in total), you can imagine the number of nodes connected to the internet -- this ofcourse excludes those computers which are connected to the Internet over NAT and proxy servers. And a number of computers share a set of public DHCP IP addresses on different time slots. So you can imagine the total number of computers connected to the Internet -- it's huge! So what does it mean to me as an end user?

Earlier when computers weren't connected, the number of ways a virus can enter a computer was very limited. Infact only through removable media. This could not happen without the user interaction (atleast, the user had to insert an infected disk). But now that the computer is connected with billion others, there are billions of nodes which can affect your computer and more importantly "without" even you knowing about it!!

The traditional means of virus protection through signature will slowly go obsolete -- as there are just too many viruses. The rate of new viruses is slowly increasing and at some point, the round-trip time for the AV vendors to publish new signatures for new viruses would be too late to stop the damage. In addition, new viruses are also self-mutating (they change their own footprint while retaining the same functionality) which makes the signature based protection much more complicated and sometimes useless.

With the AV vendors already migrating towards behavior based protection, the problem is getting better but it has its own problems. The heuristics of behavior based protection has to be smart enough to catch and stop a malicious virus and liberal enough to allow a legitimate program to do its job. The problem is much more complicated than it sounds (if it didn't), and I believe it is impossible to achieve this unambiguously. To resolve such ambiguities, the applications will need to ask the decision from the user, which is mostly confusing to a common user. There is a good chance that a common user would not understand the question.

Like, what if my body asks me "The pituitary gland is trying to secrete an enzyme 'abc' and is trying to send it to your kidney -- this seems suspicious, do you want to allow this?" -- a question on a virus's behavior might look equally awkward to a common user. But for a computer user it is becoming necessary to know some intricacies about its functionality -- because the problem itself is complicated.

In spite of all these AV products, it also requires discipline from the user while using the computers (specially while having access to the threat-entry-points like removable media, email, Internet etc.,) to be really safe. I don't believe that any AV product can provide 100% security. I think 'having all possible AV products and not having self discipline is much more dangerous than not having any AV product but having self discipline'. Understanding the various security threats is crucial to protect oneself from such attacks.

A new form of security threat which is seeming the most dangerous one is "botnet". The more I think of it, the more dangerous it looks to me. It requires a separate post; will write about it later.