There's no silver bullet for security

There are no easy solutions to the problems of spam and email-borne malicious code - no matter what the vendors might say
Written by Patrick Gray, Contributor

Have you heard the news? The spam problem has been solved by a new type of mail architecture, and hackers are a thing of the past! A vendor has released software that can block attack types that haven't even been invented yet, and can foil spam techniques that won't even be developed until 2015. Really.

This is what us poor old IT journalists are told every day by a dozen press releases from a dozen companies out there that are eager -- too eager -- to get their products out there. They may have good software and "solutions", but there is such a thing as over-selling.

Let's look at some of the pitches out there.

A great example is MessageLabs' marketing material. According to its Web site, MessageLabs' mail filtering service "can assure you of complete peace of mind from complete email security". Aside from being somewhat ambiguous -- it's not "email security" that worries me as much as email-borne threats -- this statement is an exaggeration. Sure, the service is a good one, but would it give me complete peace of mind? Hardly.

ZDNet Australia recently had a visit from a Melbourne-based software distributor, which had put together a suite of software products in the security area -- a couple of which were good products that I would recommend to some people. However, there is no way known that their product could make "all [italics mine] unauthorised software (including viruses) un-executable while still allowing network users to access the software they need". Let's get real, people!

Don't even get me started on security vendors peddling "Intrusion Prevention Systems" (IPS) like they're some kind of silver bullet cure for all security ills. I'd like to see some of those vendors taken to court on a Trade Practices Act violation for misleading and deceptive conduct. Sure, IPS are starting to show some promise in detecting and preventing some types of attacks, and there's some ok-ish heuristics code being bunged into them, but even calling them an Intrusion Prevention System is, in my opinion, misleading.

My all-time favourite was an Intrusion Detection System company that claimed to use artificial intelligence ("I'm afraid I can't do that, Dave") to detect attacks. Of course the vendor -- through its PR agency -- wouldn't provide me with any more detail on how the thing worked without getting me to sign a non-disclosure agreement. Sounds great. Hate to burst your bubble, Mack, but I'm a journalist -- my job is disclosure.

Now Yahoo has a new proposal for ridding the planet of spam. This will involve performing cryptographic processes on every single email sent or received on the Internet, in order to authenticate messages are actually coming from the domains they say they are coming from.

It sounds like a great idea on the surface, but there are a few problems.

First there's a security angle. It will involve tacking a whole bunch of code on to server-side software. More code means a higher vulnerability count; there's no two ways about it. Then there's the issue of the server-side processing overhead that would be required to cryptographically verify every single message coming into a given company or ISP. By the looks of things the process would involve server-side verification of a message based on pulling a public key out of a domain name server and cryptographically verifying its authenticity. Ouch. That's going to slow things down. That's not to say existing anti-spam software doesn't, but still!

While it may not be a problem for a small company with an under-utilised mail system, I would imagine an ISP like Telstra's BigPond may find it a little difficult to cope if it suddenly had to check crypto signatures on however many millions of messages its mail servers processes every day.

Now we get to the real point. The majority of spam, 66 percent according to the aforementioned MessageLabs, comes from home systems that have been compromised by worms and viruses which act as relays for spammers when they take over a system. Even under Yahoo's new architecture, it will still be possible to hijack some poor sap's home system and use their legitimate email account to spam the masses. Even if the user has to enter a crypto pass-phrase before sending mail, standardisation will ensure that stealing that pass-phrase will be a piece of cake once the system is compromised.

Any way you look at it, the only way to fix the spam problem is to educate Net users.

Until everyone stops buying products advertised through spam, and Internet users, system administrators and ISPs all get better at securing their systems against spammers and their techniques, we'll be pushing the proverbial up the hill for some time yet.

Enough of the silver bullet.

Editorial standards