Tuesday, 9 March 2010

Who can you trust?

So by now, everybody has heard about the whole energizer DUO. Couple that with the news that vodafone shipped out some Android phones with Windows malware loaded on them. If you haven't ehard about this bit yet, I recommend reading here and here . The Zdnet post is especially nice because it include links to posts about other incidents just like this. You just have to ignore the linux vs windows flamewar, which I'm sorry to say I let myself get dragged into the middle of. I think it's a shame that the post devolved into that when there's a serious security concern brewing here. It has nothing to do with OSes are or even software. It has to do with trust.

We spend a lot of time talking about trust in the security world. "Don't download software from an untrusted source", "don't open emails from people you don't trust", "Don't plug untrusted usb devices into your computer." Then we get very condescending when people fail to obey these simple tenants of trust. What do we do when the trust betrays us though. These two most recent examples show cases where the users had every right to trust the infection vector. They downloaded software directly from energizer's site, why wouldn't it be safe? I just bought this phone, it's brand new. How could it possibly have malware on it? The phone example would be exactly the same as if you went to a store like staples, bought a thumb drive. Opened that horrid plastic bubble packaging, insert it in your computer, and then your antivirus starts setting off alarms like a 1940's air raid siren. The device was brand new, had not been tampered with in the store as far as you could tell, and came from a trusted source.

So now what if we take our hypothetical situation one step further. What if the malware isn't recognized by your AV. Now we have an infected computer. Your friend brings his usb drive over a couple days later to copy some files. It's his usb drive, he knows where it's been. He knows your a smart guy, so your computer should be safe. He takes the infected drive home, and now infects his machine. The cycle is obvious of course. Yes, of course these hypothetical people should have autorun turned off, we all know that by now, and so this example is not perfect. The issue is the trust factor though. In these situations, there is no "blame it on the user". They had every reason to trust these sources. It seems like the only answer is "don't trust anyone or anything". I'd love to see people's thoughts on this.


  1. your blog posting would be much more helpful if you point us to how you can find out whether this infernal "autorun" is turned on and how you can turn it off.
    I for example have only recently started to use MS Windows and wasn't aware that this blatant disregard of computer security even existed. I mean: mount a USB drive and immediately without user intervention try to execute whatever's on it? Come on! You can't make that kind of stuff up.

  2. Dear Anonymous. Apologies, I assumed people would know that bit already. Rather than go into detail here, I'll let Microsoft do the explaining for me(they'll do a better job anyways) http://support.microsoft.com/kb/967715