It has taken a long time, but slowly and surely computer security has reached the moment where it moves away from simply securing a device from specific threats to one in which more attention is paid to its everyday security state.
The argument for this evolution is simple: just because a computer is not being attacked doesn’t mean it is actually secure.
A pioneering example of this new philosophy has been Secunia’s Personal Software Inspector (PSI), which set out to make up for Windows’ scandalous lack of a central and automated patching function by giving users a central place to view the vulnerability of installed applications. Windows should have had this but Microsoft preferred to focus on its own software instead, leaving its installed base to struggle with a confusing array of different update cycles for each product or, worse, none at all.
PSI now performs most of that role, allowing PC owners to run periodic vulnerability scans and update out-of-date software from a single interface. The firm has also developed a version for Android.
Anti-virus programmes, too, are now taking on some of this role, with the latest release of Avast Internet Security a fascinating example of how this class of security software is expanding far beyond its original role.
For instance, Avast now scans not only the PC but the user’s local router, hunting for weak or default admin passwords, a notoriously common misconfiguration. These checks are pretty basic by router standards, but it can also work out whether the router has had its DNS settings hijacked and is redirecting traffic (something almost impossible to troubleshoot from the PC for a non-expert), and check whether things like IPv6 are enabled but not protected.
As an option, the paid version gives access to Avast’s own DNS server (with https scanning), a defence against redirection attacks. Using a custom DNS won’t be for everyone (will it be fast enough compared to a user’s ISP DNS?) but it is a service that could become common in the near future. In common with Secunia, Avast also recently added a central software updating system of its own, even going as far as to host common updates for things like browsers on its own servers to make the process more reliable.
Right now these features are far from mainstream in anti-virus programmes but look like an inevitable development as vendors look for ways to justfy what are still fairly expensive programmes to buy licenses for.
Android - Windows all over again
Just as users used to make assumptions about the security of Windows PCs, so they are falling into the same trap with platforms such as Android. The number of recorded attacks directly exploiting weaknesses in mobile OSes remains small but it's clear that there are plenty that could become a problem should attackers have the inclination to test them.
But on Android, how can one even know which vulnerabilities are present on a aprticular version and which have been fixed? Apps update themselves automatically so that shouldn't be an issue but what about problems deeper in the OS itself?
A new app called Trustable from mobile security firm Bluebox Security sets out to offer an overview of sorts. Once installed, the app scans each device with the assumption that its security ‘trust’ status score is a perfect 10. As it discovers vulnerabilities, this number goes down, with zero being the lowest theoretically possible. Issues looked at include known software vulnerabilities, the existence of open (i.e. unencrypted WiFi profiles), lots of apps using root certificates, admin rights or risky permissions.
The test device I ran it on reported that my Nexus 4 (running Android 4.4.4) had two significant software flaws, the Android FakeID issue reported by Bluebox itself last summer and the Linux Futex bug (used by Towelroot to root devices). The latter I was aware of although the former was, bafflingly, supposed to have been fixed in 4.4.4.
Of course, knowing something is insecure is not the same as being able to do anything about it but what it does provide is a comprehensive picture of a device’s security state, something that will change over time, improving or deteriorating. Should a new vulnerability become known, the score will go down.
Used with Secunia's PSI for Android, it offers Android users a welcome start in understanding the security issues of this platform and its apps that many still take for granted.
Despite running on different platforms, what Secunia PSI, Avast 2015 and Trustable have in common is that they are no longer simple barriers to detect and block security threats. Today’s most dangerous threats move far too quickly for that model to hold out for long. The assumption isn’t that the vulnerability is something ‘out there’ but already within the device itself.
This is the model that would have saved the world a lot of pain but eventually we live and learn.