Diminished Capacity

One of my first major undertakings at my current job was the move to a least-privilege model for desktops. Under this ideal, computer end users have only the minimum privileges necessary to perform their jobs. Less elegantly, it might be called “taking away admin rights”. Regardless, the goal is to reduce support costs by ensuring a standard configuration with licensed software of a known version and state. Additionally, it substantially reduces the scope of threat from viruses and other flavors of malware.
Lately, I’ve seen a disturbing trend where malware seems to be designed specifically to work within this constraint. It was always possible, as non-administrators can by default still download and run code not already present on the system. However, their inability to install software has always overshadowed this. Unfortunately, it turns out that “install” is a pretty ambiguous term. At its root, it’s nothing more than the process by which software is placed on a system and made ready for use. Historically, this has involved putting various bits and pieces in protected areas of the system that only administrators could access. Thus, we tend to think of it as an act that only an administrator can perform. In reality, there’s nothing to prevent a writer of malware (or legitimate software) from designing his software in such a way that it can locate all of its components within the user’s profile or home directory and run solely from there. If it then changes the user’s settings to run itself at startup, is it not then installed? Granted, malware of this nature is more limited in what it can do. For instance, it cannot affect other users of the computer, nor can it hide by altering the operating system itself. Still, it can mimic system dialogs, steal or destroy user data, barrage the user with unwanted pop-ups, etc. With these capabilities, it would seem that the only difference between this flavor of malware and that of the past is ease of removal. That’s probably little comfort to the poor guy that gets hit with a series of “porno.org” pop-ups as his boss walks into the room.

In IT, we often hear of security through obscurity, the reliance on attackers’ lack of knowledge rather than sound design. Unfortunately, as technical work continues to be farmed-out and otherwise devalued, we’re seeing spike in security through absurdity. I can attribute it only to a lack of ownership or stake in the job. Really, it’s complicated work to do security right, and it’s probably tough to keep up the good fight if the only aspect noticed by management is a slipping ship date. Still, I’m left scratching my head after seeing this error message. I understand security being overlooked in the design phase… and followed by inadequate testing during QA. But the fact that someone spent some time writing this very specific and well-worded error message indicates that the behavior it describes is intentional. I’ve spent the last fifteen minutes trying to think of just one sound and secure feature that could benefit from a cookie being written at logoff.