When All Else Fails, Set Up Networks Properly

When All Else Fails, Set Up Networks Properly
by Doctor Electron

Notice to Intruders: No Burgler Tools Needed; Corporate Network Provides All

"All it takes is one e-mailed copy of the virus entering a corporate network for havoc to ensue," reports cnn.com on 6/05/03. If true, those networks are not set up properly.

Rather than address the cause of the problem -- found in the configuration of individual machines and how they are networked, it seems that temporary fixes are preferred. For example, gateway software such as email filters may attempt to prevent malicious code from entering the network, implementing the maxim: "Keep the bad guys out, because if they get in, the boss may find out that the setup of the computer system stinks."

Maybe it is time for many organizations to suck it in and configure networks and the machines in them appropriately in the first place.

Lest we forget, email is simply a series of data bytes received over a network connection. It is not written in stone that the contents of such a data transfer must be processed in a way that would pose any threat whatsoever to computers or networks. Indeed, the only real issue concerning malicious code in email is waste of bandwidth and disk space.

Net Census computers receive virus-laden emails daily and neither the recipient computer or its network are affected in any way. This computer system does not have either email filters or anti-virus software.

Condoms and Anti-Virus Pills

Indeed, the presence of these categories of software probably indicates that the computer system setup is inadequate and in most cases, that its proprietor does not know how to set up a computer system in today's internet environment.
Proper computer network setup would also prevent the majority of attacks by insiders. Given the substantial payoff to corporate management, the widespread lack of proper setup is one of the little mysteries of our times. Does the training of computer professionals at colleges and universities omit essential skills?
Both email filters and anti-virus software require updates and may cost more money than simply configuring the computer system/network right in the first place. Further, automatic update is not an option for secure systems. Therefore, email filters and anti-virus software are not real options anyway.
Automatic update is not permitted since it connects computers to remote hosts with certain privileges operated by strangers. [OK, maybe one or two readers actually have had lunch with an employee of one of these companies; but is he/she the one running the remote hosts? If not, my statement re "strangers" stands.] Even if your mother operates the remote hosts, only one of the following can be had: (1) computer system security or (2) automatic update. Take your pick. Both are not available at the same time.
Moreover, the premises of email filters and anti-virus software are fatally flawed.

First, use of software that tries to filter malicious code in emails is akin to the practice, "With a condom, one can safely have sex with HIV-infected strangers." Is the boss as reckless and irreponsible as that? It is wise for computer administrators to assume that corporate management generally are not compulsive thrill-seekers.

Second, use of anti-virus software may be equivalent to saying, "Condom or not, a magic anti-virus pill allows one to safely have sex with HIV-infected strangers." Why stop there? How about self-injection of blood from known AIDS patients? What? [Pause] Did I hear something? [Pause]. Oh, you have doubt that the anti-virus pill will work. Then, get on board. We advocate a safer approach, both in sexual activity and in setup of computer systems.

The absurdity of anti-virus software is underscored by the obvious fact that virus writers can use the same anti-virus software to test that new malicious code is up to VWG (Virus Writers Guild) standards, which stipulate that new code releases should not be affected by anti-virus software or should render it inoperable.

In brief, corporate management should indicate to computer administrators:
These categories of software may be discontinued, because it is time to properly configure computer systems. These crutches -- the partial fixes of flawed systems -- are just not good enough in today's networked world. Continuing presence of malicious code in email is a given. Continuing configuration of networks in "Three Stooges" style will not be accepted as a given.
The Stink-Fear Score

In summary, the degree to which malicious code in email is feared, is a useful measure of how much your computer system stinks (i.e., is no good).

Hint: "Appropriate" system setup may go far beyond choice of software and clicking options in existing software. A full clean-up requires permanent removal of hundreds of items including Registry entries and .dll files or security patches on dozens of system .dlls to remove abused functions [make them return an error code]. And this reference is not to vendor-supplied patches, but rather to custom removal of functions, assuming other functions in the .dll are desired.

As just one example, a simple .vbs instruction will enumerate network drives. What kind of nonsense is this? Such things may need to be completely removed. Who in your shop needs to enumerate network drives -- really? Do computer administrators even know who needs to do that? If the answer is "everybody", you are ready for the Second Hint: There are essentially an infinite number of ways that can be devised for computers to share information.

Sniff Tests for Executives

How can corporate management know if their computer system is lousy? This is a good question, since these persons may be users, but not computer experts. If the answer is "Yes" to any of the following questions, it is time to talk to your computer administrators:
(1) Do received emails display varying colors, fonts and images indicating presence of html processing?
(2) Does a popup window automatically display when an email with an attachment arrives or is viewed? [Simple display of image files may be OK depending on the particulars, if specifically initiated by a user action, such as a right click. Note: some organizations discard all attachments, probably because their computer system is lousy.]
(3) If you double click on a .xls spreadsheet file, does Microsoft Excel start, load and display the file? [This is but one example of a "file-type association" -- a commonly abused function.]
(4) If you browse to a web site and click a URL like "http://www.website.com/data.xls" does Microsoft Excel start, load and display the file? [Best to do this test from a local server with a known .xls file.]
(5) Do computer administrators state that they have not permanently deleted a list of standard Microsoft Windows system files from essentially every computer in the corporate network? [A "Yes" answer = no "out-of-the-box" system files removed.]

Notice to Executives: Elvis Has Left The Building

With tests like those above, a user-level person can quickly assess if computer administrators have even entered the building yet, so to speak. If you get any "Yes" results in the above beginner-level tests, call the computer administrators in from the parking lot or playground. Break the news that Elvis has left the building and corporate networks should reflect that fact. Gently explain that "Yes" results such as these are fine for toy computers used for entertainment in the home, but not for computers in the workplace.

Apparently Microsoft does not offer a business version of Windows as presently described. So computer administrators will need to convert from toy-to-business version for each machine. If hundreds or even thousands of individual computers require conversion -- each involving hundreds of items, a custom utility program may be used.

Application software that does not run on the business version of Windows will require reconfiguration or replacement with better software. In any case, you discover which application software fails to meet specifications, according to the business standards described.

Corporate management may find that computer administrators not only know how to get rid of the "Yes" results, but also are happy to receive such a directive. No doubt they already know that a business version of Windows as we have begun to describe, is more secure and will lead to less problems for them down the road.

The few simple things above do not require much skill to test or remedy. But, hey, at least you have started.
Concerning email software, here are a few starter questions: (1) does it unconditionally (without user over-ride) strip all html tags and non-printable characters from email message bodies before the message body is saved to disk for later viewing?
(2) does it do nothing more with attachments than save to file and append a notice of saved file information to the message body?
(3) is plain text the only display mode for message body?
(4) does it use only the most basic socket functions (connect, send, receive, etc) to send and receive email? That is, there should be no system function calls by the email program itself to any native Windows (.dll) network or email "helper" functions. [The first Hint above indicates that those would be removed from the system anyway; so email software that violates this point #4 would not work anyway.] If you are not good on at least these four points, you are not even in the game yet.
Note: The above commentary applies to 90% of malicious code or virii, which reportedly arrive via email. Many other special cases would also benefit from the considerations presented, but were not specifically discussed.

Copyright © 2003 Global Services
Original publication: June 7, 2003

Back to Net Census