This is a post series on cyber crime. For more posts click here or the cybercrime tag below.
Not mine, Karl Denninger of Market Ticker.
Here’s the problem, as I see it: How is it that a “program”, in this day and age, can be run from the Internet (or a received email) that wants to insert itself into the disk I/O system and operate in the background, both of which have to happen for this sort of attack to work, and not cause the operating system to throw up all over it without multiple, dire-warning style notifications that you are very likely about to be screwed?
There are a handful of capabilities in operating systems that are without a doubt useful but their legitimate and useful scope of action is extremely limited — and it is not only very unlikely that a user will want those capabilities to be used for a legitimate purpose such a desire by the user of the device will never occur “in secret” or “accidentally.” Among them are “hooking” the “human interface” input and outputs (screen drivers, keyboard and mouse inputs), background operation of programs (runs without a visible application “head”) and storage drivers for the I/O (that is disks, USB keys or SD cards, etc) subsystem.
You might want to hook the I/O subsystem to install an online cloud backup application, for example.
You might want to hook the keyboard system to be able to “stuff” input from something like a password safe program.
But the odds of you wanting to install a new “something” of this sort on a routine or random basis are literally zero, and to the extent where you do want to do so a very “in your face” warning requiring confirmation that what you’re about to do gives unbridled and potentially dangerous access to your keystrokes and data is not only appropriate it damn well ought to be mandatory in this day and age!
If I have a pool, do not erect a fence around it and a 2 year old wanders into my yard despite the fact that said 2 year old had no right to be there and is trespassing I’m going to get sued to beyond the orbit of Mars if said toddler falls in my pool and drowns! It matters not that I think such a capability to sue when the person had no right to be there and was not invited in is ludicrous; the law imposes that liability on me in the absence of a fence because if said toddler wanders into my yard he or she is both unlikely to understand the gravity of the risk and be severely harmed or killed.
The same situation exists here. I know damn well that anything in an email that is “executable” in any form is damn dangerous and likely a booby-trap. But I’ve been computer-savvy since the 1970s and do this sort of thing as a profession. The average user has no such expectation or knowledge —just like the average toddler has no idea that a pool is a potentially dangerous thing, especially if you can’t swim!
The usual defense is that “it’s just a program” and like “any other program” it can do bad things.
These “programs” require insertion into operating system hooks that exist for legitimate purpose but their legitimate purpose and scope of action is rare and unlikely to be used in the general sense by any form of general-purpose software. The OS Vendors put the equivalent of exposed 240V lugs on the side of your house, which you could use to power a pump in an emergency and which attach to wires going inside to run all the electrical appliances, but which are most-likely going to wind up getting someone electrocuted if left out in the open. As a result it is required that said lugs are contained inside a grounded box so that inadvertent contact with them is impossible.
How is it that Apple and Microsoft, since they’re the major vendors, are not held corporately liable for all of these attacks and their damages since it is trivial for them to implement such a protection yet despite over a decade of trojan and similar activity they have failed and refuse to do so and instead have left these facilities out in the open and unprotected.
There is a reasonable level of care that people are required to exhibit; I cannot shoot random bullets into the air because what goes up must come down and it might come down and go through your head! When you take money from someone that standard goes up, not down, and both Apple and Microsoft take lots of money from people for software just like you whether you pay it directly or indirectly in the price of your new computer.
I’m not talking about security “bugs” here; these programs use well-established and documented means of hooking into these systems, which allow them to do so without any sort of explicit warning that the act they’re about to undertake could have extremely dire consequence and should only be allowed by the user if said user is completely certain that the software in question is authorized and desired.
Such a prompt would stop these “ransomware” attacks dead in their tracks, permanently.
Microsoft and Apple should both be held civilly and criminally liable for the failure to provide such protections and warnings under the very simple perspective that they are knowingly and intentionally leaving the fence out of their pool construction, despite many people having drowned in same.
Here’s the Cnbc stuff that Karl Is talking about.
Mr. Delingpole has a point. I’m old enough to have played around with computers back in the end of the timesharing days. Back then security in a network was kept by having each user have their own shell account and having access permissions for executables and files. This also continued with the UNIX operating system, which I used up until the late 1990’s on engineering workstation. When computers became personal, for whatever reasons, Microsoft and Apple did not use a shell memory management system when they created the network versions of the PC OS’s.
For a long time, that was not a big issue, because PC’s were not actually connected very much except mostly to local area networks. Later, the bandwidth restrictions protected the computers to a certain extent. As internet expanded and grew that has changed. The way things are any computer that is connected is vulnerable. How bad is it? Well the keynote at Black Hat this year was pretty clear.
So what needs to be done? I think that it’s time that Microsoft addressed the kernel and made partitioned machines and file protections available and easy to use. The user should be able to easily partition and secure drives and be able to control which executables operate on those drives. This was available on UNIX systems over 20 years ago. You could even set up different desktops. That was on 20 year old computers. we should be able to do that now.
The Week In Ransomware