Mathematical Expectation and Computer Security
Michael Gemignani

Two Fundamental Laws of Computer Security

The Internet contains lot of advice on how to protect your computer from malware, that nasty stuff that can toast your hard drive, steal your credit card numbers and create endless havoc on your monitor. There are some pieces of advice I find almost laughable.

For example, some folks tell you to beware of buying something over the Internet using a credit card. If you are dealing with a reputable site like Amazon.com, or using a legitimate service like PayPal, you are, in my opinion, less likely to have your credit card number stolen than if you give it to a waiter in a restaurant who runs off with it to the back room to ring up your tab. On the Internet, as in real life, if you know who you can trust, you are relatively safe.
There are, however, two fundamental laws that I will give you to help you keep your PC out of the clutches of the bad guys...
Law #1: Malware cannot do anything unless you do something first that enables it to do something.
Law #2: Malware that cannot do anything can be safely ignored.
Let me explain. If malware is to find a home on your PC, you must have done something, or omitted to do something, that allowed it in. Thus, the first line of defense in protecting yourself from malware is to make sure malware can’t find your computer; or, if it finds it, entry is barred. That is, the malware cannot install itself or make any changes whatsoever to your machine. It’s like preventing a burglar from entering your home by using burglar bars and a guard dog.
If, however, malware is able to install itself on your machine, then the next line of defense is to insure that it cannot carry out any mischief. While the best defense is to remove the malware completely, the next best is to make certain that it will never be allowed to run. And a last line of defense, should the malware find a way to run, is to make sure it cannot do any harm. Here the would-be burglar has been able to enter your home but is immediately set upon by the guard dog and immobilized.
The cat and mouse game between PC users and malware developers is becoming increasingly sophisticated with new strategies being developed almost daily by both sides. But the first line of defense remains you, the computer user. If you visit questionable sites, download pirated files, and click on any link that promises something interesting (yes, I know it is the funniest joke anyone ever heard), you are going to get malware. I guarantee it. Thus, if you are not sure that what you are doing is safe, don’t do it.
There are, however, both hardware and software designed to protect you from your weaker nature. In this column I will talk primarily about protecting yourself in ways related to Law #1. We will consider protective mechanisms related to Law #2 in my next column. Your first line of defense, other than your exercising due caution, is generally a firewall.
Firewalls can provide protection in several different ways. One defense is at the application layer (AL). A software firewall using an application layer defense allows Internet traffic to and from only those applications you specify. If you authorized the firewall to allow Firefox to access the Internet, then the firewall will permit traffic to and from Firefox. If you did not give such authorization, then the firewall will block traffic to and from Firefox; that is, you will not be able to use Firefox on the Internet.
Another form of firewall protection uses network address translation (NAT). Your computer identifies itself on the Internet by means of its IP address. Your IP address allows servers on the Internet to identify your particular machine; it is analogous to your home’s street address. However, if someone knows your computer’s IP address, he can attack it at will, probing it at leisure until he finds some weakness that enables him to compromise its security. In essence, a firewall using this method masks your IP address so that your machine becomes invisible to potential attackers. If your router has a firewall, the chances are that it uses NAT.
A firewall using an AL defense is like a guard dog that allows only the people you have trained it to trust to enter the house. A NAT is akin to making your house invisible so that burglars can’t find it.
Other types of software are designed to protect you using the principle stated in Law #1. For example, there is software that identifies potentially dangerous sites. Linkscanner Pro from Exploit Prevent Labs, which also comes in a free Lite version, will examine URLs and warn you if a link is a known threat. It also purports to scan incoming network traffic and warn against known attempts, so-called exploits, to deliver malware to your computer. You can query LinkScanner concerning a specific URL, or, if you get a list of URLs from a search service such as Google, it will scan each URL and warn you if any of the sites listed represent possible threats. This can, however, slow down your searches while you are waiting for LinkScanner to do its thing.
Most browsers also allow you to set your desired level of protection ranging from “Anything goes” to paranoia.
Browsers now generally have pop-up protection – clicking on pop-ups can sometimes download unwanted software. Many also warn against known phishing sites, that is, sites that may appear legitimate but, in reality, are just trying to get you to reveal a credit card number, your social security number, a bank password, etc.
You may also get a warning that a URL is not what it seems to be, in other words, the possibility that someone may be trying to redirect you to a dangerous site by presenting you with a URL that looks legitimate.
In addition, your browser should warn you if a download is being attempted, so that you can decide whether or not to accept it. Do not allow any download to proceed unless you are sure you know what it is. You can always save the download before installing it and test it with your antivirus software or query the Internet to see if the file is a known danger. In other words, your browser already has a number of safeguards built into it to keep malware at bay, provided you activate them or do not disable them.
If malware does slip through your safety net, all is not lost, as we will see in my next column. But learn from your mistakes. It is not those who make mistakes who deserve to be censured. It is those who repeat them.
Dr. Michael Gemignani, an attorney and Episcopal priest, is also a former professor of computer science who has written extensively on legal issues related to computers. Although he is now retired, he enjoys writing and speaking about computer law and security. Send him your questions or comments to mgmign2@hal-pc.org.