Slashdot Mirror
Symantec CTO on Flash Attacks
scubacuda writes "Robert Clyde, CTO of Symantec, recently warned an audience at the United Nations that there's an increasing gap between the speed at which attacks are being launched and the industry's ability to respond. Most attacks on Web sites are classified as Class III threats because they tend to take several hours/days to execute. Recently, however, Class II "Warhol attacks"--such as the SQL Slammer worm that make themselves famous in 15 minutes--have emerged. Before long, Clyde predicts that groups of well-funded hackers working in concert will be able to launch Class I "Flash attacks." To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode. Admins would need better ways of locking down networks so an attack on one router is automatically recognized by all routers on the network; throttling back the throughput of suspicious packets on the network in order to limit damage; automating tools for ensuring that all network clients are compliant with security policies; and creating Web services technologies that do not interfere with application performance."
Create the problems yourself, and you'll always be ready to handle them.
I thought that already was happening every time I go to a site with flash banners. Flash Attack. Yes, that name fits quite nicely.
and Symantec has just the product to sort all this out?
Alex
Please, please post this kind of stuff in your journal or in a related thread... there's just one more annoying thing than reading the type of post you just made, and that's the kind of post I'm writing right now :S.
The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness.
How about launching that money into developing more attack-resistant public network structure? Or working on improvements in server software?
I'm feeling uncomfortable with execs trying to stir up public funding for their non-public industry.
Java applets.
To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode
You mean like Windows Update?
actually, JScript.Net may be a good replacement too. It has full DOM support, something C is sorely lacking.
Now I'm just a humble corporate drone but wasn't Slammer doubling in size every 8 or 9 seconds simply by spreading as fast as the internet would let it?
How in the world are these "flash attacks" supposed to attack the entire internet in seconds? Launch from multiple points at once? Go faster than light?
Before any mods take the parent seriously, please realize that this is a troll. He gives himself away in the second paragraph: (emphasis added by me)
However, Java has only been around since 1995, making it physically impossible for this guy to have over ten years of experience. I'm sure that's not even possible if he actually was one of the Java architects -- "over ten years" implies that the latest he could have first used Java was 1992, a good three years before Java was officially announced. While Java could have been around in some form or another internally at Sun, I sincerely doubt it would've been in any kind of useable form that early.
Others may say he gave himself away even earlier, saying that Perl is a retired language. I'm optimistic, and would like to think Perl is dead, so I won't hold that one against him :)
System Admins are always trying to keep up with hackers, and i dont see that stopping anytime soon. There is only so much we can do to prevent it, and the only way to be invunerable is if your computer is off or not on the net. And that's not very productive. System admins are just going to have to keep coding their own firewalls and other anti-virus stuff, download microsoft "security" patches, and just roll with the punches. There is no way to stop hacking, and if we could, would we want to?
OMG OMG OMG WTF OMG WTF BBQ STFU RTFM, OMFG OMG OMG OMG ROFL LMAO OMG WTF STFU ROFLMAO
When Flash Attacks! Amateur video of some of the most horrific Flash animation ever to hit the web! Will the users survive?
Monoculture is bad.
Diversity is the only way out of this, long term. The idea of having only one codebase for 95% of the computers in the world is insane. The long term fix is to actively encourage alternative platforms, and multiple competing versions of software that aren't clones.
A hetrogeneous network is going to be much more resilient, though this is a tradeoff from efficiency. As with the original design of the internet (packetizing data instead of streams), the tradeoff more than pays for itself in the long run.
--Mike--
as an employee of Microsoft shouldn't you be pushing VB .Net??
How many people expected this article to have some reference to a new security exploit using flash?
He has over 10 years experience using Java because he's a time-traveler. Are you going to argue with a time-traveler?
It's Saturday night and you're writing a rant on Slashdot.
Man, you're a fucking loser.
Symantec has a long history of trying (and somtimes succeeding) to create panic in the realm of computer security.
Usually it is accompanied by a round of advertisement telling you how (through the use of their products) you can protect yourself.
I am all for computer security, and no doubt there are many pitfalls yet to come, but staffing enough programmers to instantly respond to what they term a "flash attack" would make Microsoft look like small potatoes. I guess during all of that free time between attacks they can rewrite MSxxx to close those bugs MS can't get around to (in six years or more)
On the other hand, look for rising stock prices as Macromedia sues Semantic for defamation and misuse of their branded media player.
I'll try to work something up and deliver it sometime next week. Do you folks think I should also include complete public key security for every packet with no bandwidth or processor overhead?
Cheers
-b
Speed is the key to deterrence. Arrest someone; put them to trial; punish them. Swift, harsh but just punishment is a deterrent. If attacks result in loss of life, capital punishment is called for.
The law should be changed so that appeals don't drag out for 20 years. That old saw is as true today as it ever was:
Ok, when is the endless parade to 'secure' things going to come to and end. There will always be risk inherent in everything, and there is no way to eliminate it.
But now people are worrying about the 'net being brought to a crawl by these so-called flash attacks. Look, if you corporate pinheads didnt put the internet into a state of stagation by putting in the lobby to pass all these restrictive laws, we wouldnt even have this problem
Before all these 'laws' designed to protect came along the internet was changing fast enough to keep the size and scope of such a thing from even coming close to happening
This is the internet you allowed to form, dont come crying to me that the ones you put in power are now using it for their own means...
scubacuda writes
"Recently, however, Class II "Warhol attacks"--such as the SQL Slammer worm that make themselves famous in 15 minutes--have emerged."
If they were really Warhol attacks, they'd be crappy hacks (because they'd only be famous for 15 minutes, not in 15 minutes.)
My
Limekiller
So to stop a worldwide automated intrusion from working, we need to set up a worldwide automated method of changing the core software of all of our systems very quickly.
In summary therefore, customers of IT must wait for months while a commercial software outfit fucks around with an as yet undisclosed vulnerability, but should be prepared to instantly and automatically apply whatever hack and munge job said company puts together at the last minute when the bad guys actually start exploiting the problem.
Why don't we start writing more responsible fucking code? I think that if as much time and effort were spent doing security evaluation of commercial software development as goes toward finding the most underpaid programmers the developing world has to offer, we wouldn't be asking underpaid adminstrators to automate patching.
Please bookmark the website ( http://opentrolls.free.fr ) and join us when the page is ready fellow trollah!
Cheers,
OTM Certified Trollah #001
Sounds like some flasher jumping out of the bushes...
And pray tell, what little Third World shithole do you two asspirates hail from? Kaniduh or some other pile of dung like that?
Chowder Likes the mansecks
The same old story. Scare people, hype up these dangers, come up with totally unrealistic "threat" scnearios.. and then put your hand out and ask for money.
Basically what he just said, in order, was:
1. If something breaks it should be fixed quickly soon
2. If something breaks you should turn it off before it breaks any more
3. You should try to make things not break
Those three principles are done simply as a matter of common sence by your average guy riding a bicycle, and I beleive those same principles are followed by good coders and good sysadmins as pretty much the most obvious part of their job.
The only difference between his suggestion an bicyle repair is that the computer system is automated, which is done with systems already in place on networks with competant sysadmins.
The whole suggestion is both facile and bleeding obvious and I hope that nobody was impressed by it.
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
One solution (as pointed to by an earlier poster) is diversity.. If people are running different OSs and different flavours then it's a bit harder for somebody to take total control. I wouldn't even suggest a 100% movement away from MS (although 75% would make life a lot easier). Even the heavily audited OpenBSD has managed a root compromise or two in it's history, and it only takes one zero-day bug to bring down a whole system.
For those people running MS, yes -- you definitely need help. That having been said, I would still suggest some diversity there... Not all machines should be running Semantic. There should be at least a few running other AntiVirus products (like AVG). That way if Semantic misses something, there's still a possibility that one of the other virus checkers in a company will catch the bug (and enable faster recovery). It would also provide some hope of survival in the case of a symantec takeover like I mentioned in the first paragraph.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
You just know that Microsoft is going to use this as an excuse for Windows vulnerabilities.
"Yes, that blue screen that you're seeing is actually what is known as a 'flash attack' that is becomming so common...."
The Political Programmer
Most admins with any security background know that the right answer is DEFAULT DENY.
When is the mainsteam going to wake up?
But that's just me...maybe people do want more 'windows update'-like systems so they can get back to their game of tetris.
-davidu
# Hack the planet, it's important.
In the last paragraph:
...hopes that the
great Swede himself, Linux Torvaldis, won't...
So it that a new dist? I use Linux Mandrake, I didn't know there was a Linux distro with Linus's last name on it.
I'm something of a hetero genius myself. Thanks.
I'm not sure I see how this necessarily follows. Certainly it is possible, and part of security is taking into account what can be done, but I don't know how you would assume it at all likely. If I had to name the biggest security threat right now (in my humble opinion, that is) I'd be far less concerned about groups of well-funded hackers (funded by who? Terrorists? Saddam? Commie subversives?) than I would about DDoS attacks launched by some bored teen-ager (something a little more television should cure, at any rate).
DDoS attacks are very difficult to stop so long as plenty of unsecured home computers are available on broadband connections. All the host-based security in the world by the victim is virtually useless if he hasn't the bandwidth to resist the attack.
Meanwhile, where are these groups of well-funded attackers, and what motivation have they? DDoS attacks are individual events; they do not propogate themselves across the internet the way SQL Slammer did. Each is of course its own sort of risk, and the effects of worms such as Slammer are similar, creating DoS attacks by attempting to propogate so fast. But I just don't see what connection more and more aggresive worms have to do with groups of organized, well funded hackers acting for international terrorists or the like (a concern repeatedly brough up by the US Cybersecurity Czar). This sounds, in some respects, like Clyde is reiterating the same refrain, a refrain which calls for harsher crackdowns and beefing up target security when we should be holding companies with insecure code (such as MSSQL) responsible and encouraging software companies and users to beef up security not only on servers but on PCs, as well.
In regards to how much real-world damage a cyberattack can create, this is a matter of much dispute, and it seems highly unlikely that terrorist organizations will resort to such moves rather than traditional, far more terrifying and effective acts of random violence. Still, I am pleased that some interest is being taken into cybersecurity; I just hope the focus is in the right place.
I feel that it needs more racial epithets. Thank you.
Side note: if you use Mozilla, download the autoscroll patch. When you middle-click to start the scrolling process, the Flash ads disappear. This is a very cool side-effect.
I feel fantastic, and I'm still alive.
www.cgisecurity.com/lib
They have such a history of screwing up everything they touch. Why should we trust them for securing ANYTHING, let alone Internet services?
You would think just about anyone over the age of 15 who has some kind of affinity for technology would have seen at least one movie depicting the kinds of problems with Symantec's solution taken to its logical conclusion. For example:
"SKYNET became self-aware at 4:01 AM on August 4th, 1997 and at 4:12 it ordered a pre-emptive nuclear strike."
When information is power, privacy is freedom.
Am I the only one that noticed the increased possibility of attacks, caused by an app running on the network waiting for "automatic" updates? Whatever method they try to use for the updates, will also be susceptible to attacks. So to me, it sounds like they want software companies to put a giant backdoor in their software, and then get paid to protect said backdoor. This sounds like Symantec watched Matrix: Reloaded, and decided that the only way to stay in business was to create a Keymaker.
C. Griffin
"Can I keep his head for a souvenir?" --Max from Sam 'N Max Freelance Police
To badly paraphrase him, "In 15 minutes every virus will be famous."
this guy has some awesome ideas...never have mod points when ya need em...
...from their website:
CylantSecure 2.0 Named Best Security Solution in LinuxWorld's Product Excellence Awards Program
MOSCOW, Idaho -- Cylant today announced that CylantSecure 2.0, an industry leading host-based intrusion defense system, was named "Best Security Solution" for LinuxWorld's Open Source Product Excellence Awards. Cylant beat out four other finalists to win the award, including IBM and Computer Associates.
LinuxWorld Conference & Expo (August 12 - 15 at San Francisco's Moscone Center) is the premier event exclusively focused on Linux and Open Source solutions. Presented in conjunction with the UniForum Association, the Open Source Product Excellence Awards recognize Open Source product and service innovations offered by some of the world's leading ISVs, OEMs, service providers and developers.
CylantSecure applies a preventative, behavioral approach to security, utilizing kernel monitoring to detect attacks without needing continual signature or rule-set updates. Through behavioral measurement, CylantSecure is able to detect malicious activity in real time and control the operation of the software to report and immediately stop any aberrant behavior. CylantSecure uses sensors to monitor the behavior of the software, along with a statistical analysis engine to identify any abnormalities in the behavior.
Through continuous behavioral monitoring, CylantSecure can send users early warning of attacks, so appropriate measures can be taken. Such measures might include shutting down the program, shunning traffic from the attacking IP or performing system state analysis.
"To be chosen 'Best Security Solution' by our industry peers is a tremendous honor," said Joel Rothman, president of Cylant. "CylantSecure is a demonstration of our ability to measure and control the behavior of complex software systems. From a security standpoint, it provides a way of keeping systems that run vulnerable software secure - providing one of the key components of preventative security. By utilizing this approach, we believe that CylantSecure offers a unique solution for Linux."
CylantSecure 2.0, which debuted at Linux World, is the newest upgrade of this product.
Benefits of CylantSecure version 2.0:
* Easier to use.
* Easier behavioral training control.
* Significantly reduced calibration times.
* Policy creation wizards.
* Better behavioral visualization capabilities.
* Easier to use on non-RedHat distributions.
Features of CylantSecure version 2.0 include:
* Context sensitive help.
* More powerful and flexible policy engine.
* Incremental calibration capabilities.
* Faster console.
* Improved behavioral graphing engine.
* Cross platform installer.
"By building a product that tackles the challenges of intrusion prevention in a different way -- enforced normal behavior of software -- CylantSecure puts control back into the hands of the 'good guys' like systems administrators," says Scott Wimer, CTO of Cylant. "This approach is one component of a preventative security posture rather than a reactive security posture."
Wimer goes on to explain that, "The preventative approach is a new approach to security that involves trigger events that the good guys can control. This controllable process is similar to the one systems administrators currently work through in every other area except security. If you think about it from the perspective of CEOs, CFOs and boards, controllable trigger events are much more desirable than the uncontrollable risk scenario that they are faced with today -- much less damaging and certainly much less costly."
According to Joel Rothman, president of Cylant, "CylantSecure is a demonstration of our ability to measure and control the behavior of complex software systems. From a security standpoint, it provides a way of keeping systems that run vulnerable softwa
Isn't it possible to get a Flash animation to run malicious code? I'm not sure about its destructive abilities, but I'm pretty sure you can launch a client-side denial-of-service attack using a really large Flash file with lots of extraneous links. Combine that with existing Javascript vulnerabilities and you've got one pretty good trojan. (I imagine a cache flush and a self-reload might even do the trick...)
Pet peeve: Profane people propagating perfunctory pedantry.
Heterogeneity is hard to maintain, because it's often the direct opposite of interoperability and maintainability. For example, the impact of various SSH vulnerabilities would've been minimized if people used a variety of secure shell methods instead of standardizing on SSH; but then it'd be a nightmare to connect to systems (you'd have to try out 5 clients or something).
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Wouldn't it make sense that this kind of "the sky is falling!" doomsday preaching would be coming from a company that makes security products for a widely deployed operating system that's full of security holes?
It's in Symantec's best interest for people to be afraid. Take this with a grain of salt, people -- and always follow the money.
Tired of FB/Google censorship? Visit UNCENSORED!
Who in the hell funds hackers to write viruses that attack networks? Sure, the military and intelligence agencies do it, but I really doubt that they're writing stuff like the SQL Slammer.
So what corporate SOB is funding this sort of thing?
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
Being able to develop and deploy patches is not the answer. A vendor being able to develop, test, and offer to the public (note that I say public, not just privileged customers with support contracts) a patch rapidly after a vulnerability has been researched and publically disclosed is necessary, but not sufficient. A userbase with the ability to rapidly test patches, and find vulnerable systems and patch them is necessary, but not sufficient.
They are necessary, but can never be sufficient, because there is always a threat that the bad guys will find a vulnerability before the vendor and the users even have an inkling of its existence. We need systems that are hardened so that they aren't likely to have anything that can be so easily compromised. Most of the automated worms out there have spread because systems were running services that the user didn't really want to run or even know were running, or those services were running extensions and modules that users only rarely need, or client software had default settings to execute arbitrary code from perfect strangers unprompted, yet another feature that users rarely need or are even aware of. If a feature is more likely to be used as a vector for a worm than by the user base, maybe, just maybe, it shouldn't be turned on.
A Warhol worm, or what Symantec wants to call a flash attack, cannot effectively be responded to. We need proactive security, or we've already lost.
Luckily, most OS vendors are getting there. Major linux distributions install by default with host-based firewalls blocking incoming connections. Even Microsoft is improving somewhat with Windows 2003's default security, although we'll just see whether Microsoft offsets their gains by more losses with new "features."
Having an heterogenous network is not such a straightforward solution as you put it. With the number of protocols still using cleartext passwords, and the tendency of users to use the same password in many places, a simple packet sniffer can take a cracker pretty far inside your network. The bottom line is: cracking a single box is often enough to compromise the security of a whole network.
So having multiple OSes as you suggest just increases the number of potential security holes, making your network easier to attack, not to mention harder to maintain.
I believe that security can be better achieved by a good network design (yes, it's not just the boxes: a good network design can greatly improve security, while a bad one can be a security hole by itself!), sticking to as few OSes as possible ("secure" ones of course), patching often, educating your users, etc... Standard security practices. But one thing not to be forgotten is that computer security is always a compromise. It is how much an attacker is willing to try, versus how much you are willing to invest in preventing a security breach. There is no 100% security.
I code, therefore I am.
Doesn't have that ring about it, but it's far more likely.
The only plausible protection is diversity and in general making things so that people are aware of what's happening rather than having everything hidden.
The Unix Honor Virus would be extremely effective, if only the victims would actualy fall for it.
It's nothing more than a smear campaign by Ming the Merciless designed to break up the alliance with the Hawkmen.
Jeez, you people shouldn't believe everything you read on an internet rumors site.
Ergonomica Auctorita Illico!
Your IP address reeks of Americana. Explanation?
The parent post is gratuitous plagiarism. See for yourself.
From Bruce Schneier's February 15 Crypto-Gram:
"But there's an interesting Microsoft twist. During the days of the attack, Microsoft tried to deflect any blame by claiming that they issued a patch for the vulnerability six months previously, and that the only affected companies were the ones who didn't keep their patches up to date. A couple of days later, news leaked that Microsoft's own network was hit pretty badly by the worm because they didn't patch their own network."
From the parent:
"There's an interesting Microsoft twist to the recent Sapphire Worm, aka SQL Slammer. During the days of the attack, Microsoft tried to deflect any blame by claiming that they issued a patch for the vulnerability six months previously, and that the only affected companies were the ones who didn't keep their patches up to date. A couple of days later, news leaked that Microsoft's own network was hit pretty badly by the worm because they didn't patch their own network."
From Crypto-Gram:
"For a couple of years now I've been saying that the idea that we can achieve network security by finding and patching vulnerabilities in the field is fatally flawed. I don't blame Microsoft sysadmins for not having their patches up to date -- no one does -- but I don't like the hypocrisy out of the company.
The SQL Slammer worm also reopened the full disclosure debate. Microsoft announced the vulnerability in July 2002, at the same time they released the patch. A few days later, David Litchfield published exploit code that demonstrated how the vulnerability could be used to break into systems. January's SQL Slammer worm used that exact code. Some point to that and say that Litchfield should not have released the code, while others correctly say that the code wasn't hard to write, and that the worm author could have easily written it himself.
An amusing, but irrelevent, incident: A week after the worm, I was invited to speak about it live on CNN. The program was eventually preempted by the Columbia tragedy, but not before the CNN producers invited Microsoft to appear on the segment with me. Microsoft's spokesman -- I don't know who -- said that the company was unwilling to appear on CNN with me. They were willing to appear before me, they were willing to appear after me, but they were not willing to appear with me. Seems that it is official Microsoft corporate policy not to be seen in public with Bruce Schneier."
From the parent:
"The idea that we can achieve network security by finding and patching vulnerabilities in the field is fatally flawed. I've been saying this for a couple of years now. I don't blame Microsoft sysadmins for not having their patches up to date -- no one does -- but I don't like the hypocrisy out of the company. The answer lies in software programmers creating secure code.
The SQL Slammer worm also reopened the full disclosure debate. Microsoft announced the vulnerability in July 2002, at the same time they released the patch. A few days later, David Litchfield published exploit code that demonstrated how the vulnerability could be used to break into systems. January's SQL Slammer worm used that exact code. Some point to that and say that Litchfield should not have released the code, while others correctly say that the code wasn't hard to write, and that the worm author could have easily written it himself.
An amusing, but irrelevent, incident: A week after the worm, I was invited to speak about it live on CNN. The program was eventually preempted by the Columbia tragedy, but not before the CNN producers invited Microsoft to appear on the segment with me. Microsoft's spokesman -- I don't know who -- said that the company was unwilling to appear on CNN with me. They were willing to appear before me, they were willing to appear after me, but they were not willing to appear with me."
to the one os no one has ever tried to hack
;-)
security through... um... obscurity
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Another troll hits the dust. Stupid copy and paster.
This will explain what I'm talking about
Clyde predicts that groups of well-funded hackers working in concert will be able to launch Class I "Flash attacks."
Or if you're not so well-funded you achieve the same effect by linking a site on Slashdot.
and i have to say, some of the people who have responded and been modded up have been along the lines of "well-funded groups of hackers, please!"
"somebody is crying wolf to stir up business obviously!"
holier than thou, no corporate geek is smarter than me false sense of security is just as dangerous as false alarmism, no?
no, i am not a symantec drone, but during the may day week after the hainan island spy plane incident a few years back, didn't some rather organized attacks and counterattacks occur between american and chinese hackers feeling a little too much of their nationalistic jingoistic cojones?
i mean, if china and the us, or china and taiwan, or pakistan and india, or any other country with a well-developed technical base started seriously getting pissed off with another, you can BET the websites in each other's countries would have a SERIOUS problem
am i spreading FUD? or does my "false" alarmism insult your "false" sense of security?
go cnhonker.com if you dare
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I was once contracted to Symantec in the not-too-distant past, and this I can tell you for certain, having witnessed it on multiple occasions: Symantec in no small way creates many of the problems it then 'solves' with its software.
Here's just one example: Symantec used to offer a bounty for viruses. It's rather underpaid antivirus support staff, with access to all documented viruses as well as existing exploits in current software would, on their free time, craft viruses and then 'discover' them for the bounty. The trick was to do this through friends, often splitting the rewards, to avoid getting caught out.
Despite this, the management was well aware that its antivirus staff was creating much of the virus 'problem'. And they turned a blind eye to these activities, because it generated more business for them.
This is just one example of a number of rather reprehensible business practices I observed while working for Symantec. I found the company to be so sleazy I terminated my contract after five months, and refused to work with them again.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
It's no wonder this comes from someone at an anti-virus corporation, whose main purpose is to patch the holes left in unsecure operating systems. Now, if he had suggested the correct solution, making the systems at least somewhat resilient to attacks in the first place, he would also suggest that his company shouldn't really need to exist, making shareholders unhappy.
I can't imagine a worse nightmare than having to rely on insecure systems going through automated updates with a frequency as low as 15 minutes. Do you think all those patches are going to work? That they are actually tested? That they don't create as many new holes as they tighten? That they don't change your carefully tuned setup which wasn't vulnerable for what the patches are supposed to fix anyway?
Please give me some design and forethought instead...
Symantec tried to profit from the Slammer worm, by suggesting that they were the only company that was able to warn their clients beforehand. I've seen one of their later alerts, and even as their customer networks were in flames, they suggested filtering traffic towards MS SQL host, and not from them. The latter would have been necessary to protect your network infrastructure from the traffic (and impossible in most networks).
Maybe Symantec employs a few smart people, but the company as a whole acts if it were a bunch of incompetent, parasitic morons. Symantec's predictions related network security could be true, of course, but keep in mind that this company has a strong business interest in an insecure Internet.
I have never liked virusscan vendors, they call their product "antivirus software", but it hasn`t changed one bit since the dos days when they where just tools to find which of the 100 files on your hd where infected with one of the 10 or so viruses in the wild. They dont offer any protection against the holes in all the new services and features in operating systems and applications. They only offer help cleaning up known mallware (except for mallware from people that can sue symantec for interfering with their business: spreading spyware)
Clyde: The attacks are increasing in frequency and in complexity," noted Clyde. "And the bar to becoming an attacker is being lowered because the tools are getting more sophisticated. Someone can now learn to use the tools effectively in weeks to months rather than years."
With the Antivirus vendors the attack frequency is always going up ;-) I believe them on that one though. But the complexity? Nothing as complex as nimbda for months now. "the tools" in my view where asambler compilers in the old days, and are C/C++ compilers these days... I hardly think this mathers that much, and if it did, why didn`t we see more C viruses in the dos days? (visual basic has a harder time abusing vulanerabilities, and therefore is unlikely to be used in real worms)
Clyde: The eventual rise of Flash attacks means that the industry will have to take a more proactive approach to security because the attacks will happen faster than humans can respond, Clyde said. "The vulnerability threat window is shrinking and in theory could become zero. We used to have six months between when a vulnerability was discovered to come up with a patch before somebody exploited it. But for Code Red, the time was only 28 days."
A proactive aproach? well I guess the "sitting around eating pie" option is definantly out of the windows then? The vulnarability window for me goes from the moment the faulty code is compiled to the moments every single user is running patched code, everywhere... Getting this window to zero could prove difficould but I am sure mister Clyde will be offering a product that reduces the time to "virtually zero", although it wont be A product but really a service.... an expensive one. I think the six months between discovery and exploit, are six months between vendor notification and bugtraq post of exploit code, I dont think there has ever been a vulnarability so complex it would take a competent coder more then hours to build something exploiting the hole. There are many competent coders out there, not all of them post their work to bugtraq. The posted exploits are usualy posted to force vendors into patching code real fast (usualy after they apeared to be doing nothing for a while), I guess that when it comes to holes in a microsoft product used by 50% of the planet "real fast" is just shorter then the stuff that was discused in the old days on bugtraq.
Clyde: To deal with this eventuality, Clyde said patches would need to be developed more quickly and deployed continuously in an automated mode.
Fast machines with big pipes where what made code red spread fast, machines like the windowsupdate servers.... If even the open source community has problems getting software safely to the users (several cracked ftp mirrors with altered releases) then its safe to asume that big players in the software market are not gonna get the automated update system right in one try. Just think of the holes in hotmail.... sure updating services will have more attention on security, but the hotmail holes where really really pathetic and the most recent one wasn`t any more complex then the previous ones.
Clyde: Other areas that need to be worked on include adaptive management and lockdown of networks so an attack on one router is automatically recognized by all routers on the network; the ability to throttle back the throughput of suspicious packets on the network in order to limit damage; automated tools for ensuring that
Of course, Slammer had been patched 6 months prior. So a big part of this problem is that people don't apply patches.
I like it.
'One of my definitions of a cult is somebody who says 'Just give us your money and control of your life, and everything will be fine'.
US government
The "stock market"
"Globalism"
May i sugest a class 0 attack, thats when Symantec sends off its marketing monkeys to promote yet another useless personal firewall product ;)
Well, I don't remember details, but I was pretty sure there were some fundamental flaws found in the SSH1 protocol, though I'm not sure how severe they were.
Even just keeping diverse implementations is difficult though. If you wrote your software for Apache, you usually have to run Apache on all your webservers; if you need to use 3rd-party software written for Apache, the same goes. The only way this is really sustainable is if there are a small number of very major players of about equal strength (say, IIS and Apache) so that your 3rd-party stuff is readily available for both. Even this is hard to maintain for any length of time, and I think hoping for say 5-6 viable major implementations of any particular service is rather optimistic.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
This relates to something I've said all along:
Virus checkers don't work
Norton/Symantec/McAfee would like you to believe that $39.95/year or whatever will protect you but the truth is: these programs check against known viruses only. There is always an incubation period between the appearance of a new virus in the wild and the appearance of the update to detect and kill it. This incubation period provides a window for a real virus to do real damage.
To date, there have been no highly damaging viruses. You are lucky. Don't rely on the virus checker to protect you. Instead, look for operating systems and software having inherent immunity built into their design.
Sure, you can use the virus checkers as a secondary measure. But they won't protect you fully.
(*Well actually I have, but that don't fit into my slashdot-image and would not make this joke funny.)
What really fits the image is using the slightest excuse to brag that you don't fit the image.
Infuriate left and right
SQL 'slammer' should NEVER have been an issue. BASIC security practices would have stopped it. What kind of retards run SQL exposed to the Internet???
Yes, patches are important, but basic common sense is much much more important. Like...people complaining about getting 'pop up spam'. Uhh...why do you have the net messenger service, let alone Netbios, exposed to the public Internet in the first place???
I've seen Jetdirect cards on the raw internet, with NO PASSWORD (gee, let's reconfigure him to have the same ip address as their router, should be fun), Echo and Chargen (Simple DOS attack, anybody?), RPC, etc etc. There is no excuse for this.
Linux used to be very bad in this regard, shipping with many unnecessary things running by default, but has gotten better in recent years.
Windows and linux alike need to ship with NOTHING BUT BARE ESSENTIAL services running. Anybody who NEEDS anything else, should then know how to enable it and properly lock it down, unlike the 'whore mode' situation we have had to date.
The problem in the Microsoft world, of course, is installation programs, and even the OS, running all kinds of stuff without your knowledge. When you install software on a windows box, you have no idea what it is opening up to the world. You also do not have any tools that come with the os that make it easy to figure out what is listening either. This needs to change. The culture of "windows admins" also needs to change. They have to actually UNDERSTAND TCP/IP networking now, so that they can do the right thing.
Symantec now has a multi-million dollar program where you can send logs via a dedicated line from ALL of your servers to some Symantec command center where they will figure out if you have a security problem.
For my employers 2,500 servers that will result in over 3GB of data per minute.
MICROSOFT!!!
There aren't serious antivirus developers right now IMHO. May be the vbs-script-kiddie-fever from two years ago killed their minds, dunno. Or may be it's the money.
By now you won't get any av software that isn't just a marketing campaing.
Just look into antivirus databases of virus descriptions and see the point. I bet you'll notice a little difference arround year 2001 in the technical contents.
May be we can think there are not good virus writers like later 90s, again I don't know. But I'm smart enough to see that a virus description that just is a 'run the binary and describe what you get' is not a great research work, and something you can fix by hand and avoid just with common sense it isn't a menace.
Each time a new user starts with computers using XP, we get another guy that knows nothing about what is a virus and what are the real threats (well, he really knows nothing).
That's the feed for the antiviral industry. It's quite easier remove a virus that its main power is just a 'click me, retarded' than true menaces (let's say hybris, klez, magister, sircam, code red, sqlhammer, and all this shit). They need to maintain a high level of risk, so you will buy an antivirus. No matter if it's not true.
Who protects our data? Or say... do you believe? :-)
another vulnerability in the system, this one installing patches automatically. Anyone want to bet how long before someone finds a vulnerability in the auto-patch code and steal the machine?
I am the Barber of Seville.
product??? Why do slashdot moderators post such stories? How independent is slashdot itself?
warn of a new terrorist attack - then blow something up to prove it...Symantec predicts a Flash Attack and - Wallah (pardon the fake Arabic) - some hackers will produce one next week or next month...
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
...when you can just post the URL on Slashdot?
Symantec and competitors should offer a "vaccination" service to theit customers when a vulnerability is discovered, that uses the vulnerability itself to patch or otherwise alert/discover/report systems at risk or already participating. The vaccinations shpuld be IP address limited, to reduce likelihood of escape.
When networks have automated virus defenses, the virii will attack the automated defenses.
Cyber-AIDS.
Or was the Slammer worm loosed on the Internet four or five months after the vulnerability was announced?
Are they advocating cutting the gap time by a few months here?
Someone named an OS for me.