The catastrophic state of security in 2014

Not long before 9/11, there were attempts to strengthen airport security, which could be foiled all too easily. These efforts were stymied by arguments that more extensive measures were unnecessary and would increase costs to unacceptable levels.

If you ask me, we’re in a similar situation now. Computer security in 2014 is in a terrible state. Breach after breach occurs, but proposed solutions either fall short or incur so much cost and inconvenience, organizations refuse to implement them.

I’d like for us to develop a significantly safer Internet without needing an apocalyptic event to prod us to action, but I don’t hold out much hope. I’ve been fighting cyber crime for nearly three decades, and every year it gets worse. Let’s review the awful state of affairs we face today:

1. Cyber crime meets little resistance

We’re now accustomed to online identities and financial information being stolen: 258 million records were compromised in 2013 alone according to the Privacy Rights Clearinghouse website. Meanwhile, APT (advanced persistent threat) teams have been or are in every company worth invading. Ransomware encrypts valuable personal data on hard drives and extorts money — via Bitcoin or some other hard to trace e-currency — to regain access.

Hardly any companies are doing all the basics, such as patching or backing up accurately. Honest security practitioners admit that their organization’s computer security is a house of cards.

It’s the rare company that will admit total defeat and force users off the network for a few weeks while it tries to make fixes. More companies should do this, although it’s all for naught if they don’t repair the vulnerabilities that gave the bad guys access in the first place.

2. Antimalware companies are lying to you

Don’t believe any antimalware program that claims to catch everything. The software — all of it — does much worse in real life. Even before today’s on-the-fly polymorphic malware programs, antimalware programs were not perfect.

Today’s malware writers test their creations against most of the world’s antimalware programs and release their programs only after they evade detection across the board. Plus, all malware systems contain code that allows them to update themselves when antivirus detections begin to trickle in.

One of my favorite sites is VirusTotal. Featuring 55 antimalware programs, it offers the same testing engine many malware writers use to test their program’s ability to go undetected.

I frequently find new malware on systems I scan with the service (often using Process Explorer’s new VirusTotal feature), but I’m lucky if even one-third of antimalware systems find the malicious program I’m scanning. Even if I come back and try again a month later, the detection rate is abysmal. How can any antimalware vendor claim a 100 percent detection rate with a straight face?

3. Privacy is dead — and nobody cares

I’m amazed how many people merely accept that all facets of their life are no longer private. All popular social media sites track user surfing behavior with an accuracy that would make any country’s spy agency jealous.

Even our physical identities can be tracked, using Bluetooth, GPS, or any service that requires we provide an identity. It should be no surprise that out our hip, friendly little taxi services can track us anywhere in the world using a tool known as God View.

Online companies bury the lack of privacy in legal agreements that no one reads, but even when permanent privacy invasion is printed in large letters across the screen, users still click OK. For example, a provider may tell you it will have forever access to your contacts and even post items on your behalf. This sort of privacy invasion is insane. Yesteryear’s spam worms wish they had it so good.

4. Better authentication will solve little

I often hear from readers who think stronger authentication, in the form of two-factor authentication or biometrics, will solve most of our online ills. Yes, stronger authentication can help us fight Internet crime, but most Internet crime does not result from authentication problems. Usually, bad guys break into computers and assume the rights and powers of the legitimate, logged-on user. They don’t care if you used an eyeball, a smartcard, or a password to log in. They’re simply grateful you neglected to patch your computer or downloaded and ran their Trojan. Better authentication is part of the solution, but it won’t do much good by itself.

What will it take?

It took 9/11 to wake up the world to the terrible consequences of lax air security. Now we have reinforced cockpit doors, increased airport security, and better communications among countries and law enforcement entities. We may not like being inconvenienced at airport security checkpoints, but our air travel is safer.

Today, cyber crime is bad, but still considered a cost of doing business — as opposed to the crisis I believe it to be. I truly hope we won’t need to endure a giant cyber security catastrophe and instead reach a point where the cost and inconvenience of business as usual becomes higher than the cost and inconvenience of real change. Either way, at some point in the not-too-distant future, the people who can make the Internet a significantly safer place to compute will be called to action.