Security Advisor

Security Myths Exposed: Part 2

Common security practices -- debunked.

• By Joern Wettern
• 12/01/2006

Debunking myths of any kind is always an enjoyable exercise. People want to know the real deal. Back in July, I wrote about some of the more common security myths -- security practices that are widely considered to be valid, even though they're wrong. It's time to look at a few more, give them a thorough examination and debunk them once and for all. Along the way, I'll point out what you can do to avoid falling for these myths. (To read more about the first two myths -- SSL Is Secure and Complex Passwords Enhance Security -- see "Security Myths Exposed," July 2006.)

Myth No. 3: Power Users Are Not Administrators
When Microsoft created the Power Users group, it did so to give administrators the flexibility to let certain users perform tasks that require elevated privileges like computer maintenance. Power Users can indeed do many things, even without having full-fledged administrative access rights.

However, this group is often used as a crutch to let users run badly written applications. If your accounting program insists on writing its data files to the Program Files directory, then your accountant needs permission to do so, as the program runs with his credentials. You would never give full administrative privileges to an accountant, but making him a Power User doesn't seem all that bad and it helps get the job done. It does, but it also creates a serious security risk.

The problem with Power Users is that their assigned level of rights and permissions also lets them elevate their privileges to become full administrators. So a Power User is simply an administrator who has not yet elevated him or herself.

There are many ways for Power Users to elevate their privileges. Among the easiest is to replace a legitimate program in the Program Files directory with a malicious one that will elevate privileges. The next time an administrator or the system account starts, this program runs and will elevate the user. Even worse, this program may not have been placed there by the Power User. Other malicious software may have been responsible.

It would be easy to blame Microsoft for making the Power Users group too powerful. However, the reason that this group exists is to make badly behaved programs run for non-administrative users. The real culprits are software developers who are too lazy to write their programs so they can be run by a non-privileged user.

As frustrating as this may be, at least things appear to be getting better. Most software vendors have finally learned how to write programs that don't make you have to resort to the Power Users group. Vista also makes it easier to let regular users run programs with potentially risky behaviors -- like saving data in the Program Files directory, to use the earlier example.

In the meantime, the best you can do is to investigate the rights or permissions that prevent problematic programs from running in the security context of a regular user. Then assign just those to your users. If there's no alternative to adding users to the Power Users group, at least be aware of the risks of doing so, and plan on replacing programs that regular users can't run.

Myth No. 4: You Don't Need to Worry About Printers
I was recently looking into buying a new printer. When I searched for information about the model highest on my list, I found a number of security advisories. You may wonder how there could be a printer security problem. After all, printers don't store confidential data -- they just spit out paper in return for a steady diet of toner or ink.

A networked printer can do a lot more, though. The printer I was considering had several vulnerabilities in its built-in FTP service. An attacker could connect to this service and then redirect the connection to other servers on the network. It turns out that some hackers love to do this type of redirection to escape detection. After all, you'd never expect that your database server would get attacked by a printer. As a result, your intrusion detection system may not sound an alarm if this happens.

Also, networked printers are often password-protected to ensure that only authorized personnel can change configuration settings. It's not uncommon to see organizations using the same password for all their printers. In many cases, this is the same password used for other network devices as well. If an attacker can find this password, the next step is to try using the same password to reconfigure network switches to further penetrate the network. As a result, you should include printers and other network devices in your organization's security plan, even though they may not be obvious candidates.

Myth No. 5: You Can Completely Eliminate Spam
Two years ago, Bill Gates told the World Economic Forum in Davos, Switzerland, that spam would essentially be eliminated by 2006. The last time I checked my mail server, though, more than 99 percent of incoming connections were due to spam. It appears Bill's prediction was just a bit off.

Gates isn't the only one who has ever made an inaccurate assessment about spam. Not that long ago, Bayesian filtering was supposed to stop all spam. This type of filtering detects spam by learning patterns from the mail that you normally send and receive, and adjusting its decision-making to these patterns.

It didn't take spammers long to fine-tune their methods to defeat such filters. Even worse, one method spammers now use to get around better filtering is to simply increase the number of messages they send. After all, a spammer's goal is to get just a small number of responses. Doubling the number of e-mails sent essentially doubles the number of messages that arrive in a valid mailbox.

Greylisting is the latest craze in spam filtering. Mail servers already use blacklists to block all e-mail from certain addresses and whitelists to always accept messages from other addresses. When a server receives an incoming connection from an unknown address, a greylist will generate an error message that says that the server is unavailable and to please try again later. The message is only accepted when the remote server sends it a second time.

The logic behind this method is that most legitimate mail servers will automatically try again. Spammers, however, normally use a hit-and-run approach. They send messages once, but won't re-send them if they don't go through the first time.

Some organizations have achieved remarkably high spam-blockage success rates using greylisting. However, I'm afraid this success won't last for long. Most new spam blocking methods work well for a while. Once they're widely adopted, though, spammers notice an increasing number of their e-mails being blocked and quickly come up with other methods to get around the spam filters.

I expect the same thing will happen with greylisting. Even if greylisting remains effective, many organizations find the delay it introduces by asking the remote server to send messages later is unacceptable, as it can result in delays of an hour or more for incoming e-mail.

There's only one thing that will ultimately and completely stop spam, and that is when spamming stops being profitable. People have to stop buying items offered in spam messages. As long as there are people willing to buy fake designer watches, graduate degrees from obscure colleges that may or may not exist and V|@gr@, there will be enough incentive for the spammers to develop more efficient methods to get around spam filters.

While it appears that spam may be with us forever, you can at least stop most of it using one or more spam filters or a hosted solution. If you're using greylisting today, enjoy it while it works. I predict that within two years, greylisting won't be seen as a cure-all solution, but will join other spam filtering methods as one that works well in conjunction with other methods.

If Bill Gates can be wrong, though, then so can I. If spam does completely disappear in the near future, I wouldn't mind being wrong about that.