Insecure Workstations

19 May 2006

I estimate that at least 95% of all workstations used in home and enterprise environments are insecure. I do not mean insecure like "there's a hole in the OS". I mean insecure as "not designed to be secure".

Consider a common Windows XP workstation. How difficult is to infect it with a virus? Teenage kid can do that. How difficult is to steal data from a PC that is left unattended? Usually as easy as "reboot and insert USB key". How difficult is to steal a password of a user? As easy as "install a keylogger" (use virus, if neccessry).

Attacking the workstation is the easiest way to get what you want. The workstations are the second weakest part of any system (the weakest part is that thing that usually occupies space between the chair and the keyboard). Curent workstations were designed for usability, not for security. Any application can write on entire screen. We need that, because we want full-screen games and screensavers. Any application can read keyboard. We need that, as we want all the fancy pop-up thingies and devious keyboard short-cuts. Most of the applicatons can read and write anywhere on the filesystem. We need that because we want to make software installation and maintenance as easy as possible. That means that any application can do almost anything. Mix that with ineffective network security and low quality of standard software products ... what do you get? Disaster in waiting.

That's scary. And the most dreadful thing is, that some people try to build "secure" systems in this environment. They venture to make legally-binding digital signature on such platforms. They store classified information. They process personal data in large quantities. And they have the nerve (or ignorance?) to call these systems "secure".

This is the last entry from the "all sucks" series. I promise. I will write more about possible solutions next time.