Slashdot Mirror
When Malware Authors Combine Efforts
An anonymous reader writes "Spammers, Hackers and virus writers are all teaming up according to some russian security researchers. This means that they reckon that weaknesses will be exploited in a matter of hours of being announced, rather thant the weeks and months that we're seeing now.
Scary stuff."
Is it just me, or does it seem that every story that lists the source as a "Russian Security Expert" is generally a load of crap?
-Phixxr
ungggghhhh
Privacy is important, but isn't the general anonymity of the net a contributer to these sorts of problems?
It's a shame, but it seems some people are malicious in proportion to their anonymity.
Once done, they have a certain population size (vulnerable hosts) that can be almost instantly assaulted.
On the white-hat side, once the malware is noticed, it may take months to patch the initial security hole and even longer to patch the entire population of vulnerable hosts.
This is why vulnerability announcements are so important, the software that survives in the future will be the one with the shortest vulnerability to patch cycle. The others will die off ... only the strong survive!
However, this article is pleading that we should *not* be publishing vulnerabilities, "because it gives hackers a tool", and I disagree with this. Publishing vulnerabilities is a way to alert the public of exploits that are present. What we need to do is make the publishing of vulnerabilities more popular than it is so that the general public is aware of problems and alerted on how to fix them.
Beat the computer, program your life.
You know what? Business needs remain the same regardless of how fast hackers are writing exploits. Few companies, Microsoft included, could afford to have a 24x7 staff of patch writers for all of the applications they have deployed.
This is the greatest argument for open source software I have ever seen. A proprietary model of development is going to get creamed as people take advantage of their limited resources and exploit the woo wang out of their apps. FOSS apps, on the other hand, potentially have hundreds of thousands of people ready to go worldwide at any given moment to correct problems as they happen.
M
How does this change anything? This situation already exists and has existed for years. There has always been an element of pay-to-attack behavior as well as gathering resources via mass shotgunned attacks. And, in fact, spammers have been taping in to this environment for a while.
Mistaking hacker for cracker is acceptable on the general media, where people aren't very aware of such subtleties. But on Slashdot? C'mon, I know Slashdot is crawling with Windows users, wannabes and such, but this is getting offhand!
Stupidity is an equal opportunity striker.
Fellow slashdotter Bill Dog
I think you can probably even skip the first couple steps.
True, but having the additional steps is what makes it a +5 funny post. "Unplug your ethernet cable" would probably be modded troll.
How can you trust such a non-trustable source anywany?
I think you underestimate how many companies are told they have vulnerable software rather than find it themselves. Http-equiv from malware.com finds tons of stuff and the Samba team used to submit a number of vulnerabilites they found in Microsoft's implementation. And all the time vulnerabilities are disclosed, sometimes the company is told before hand and if they don't act quickly enough then they are disclosed publicly, otherwise the company may find out at the same time you do. Regardless, if some thrid party does find a vulnerability and 2 or more people know about it, the world will know about it within a week. "Three can keep a secret if two are dead". So in short, yes companies need to be prepared 24/7 to fix their faulty software as fast as possible.
Regards,
Steve
A good portion of the time, hackers and such learn about the exploits by reverse-engineering patches and updates. The problem isn't 'security through obscurity' so as just that most users are too lazy to patch their computers when a new update comes out.
WWD4D?
You missed some...
6. People get sick of it and whine
7. People move to Linux
8. Profit for someone else!
I like muppets.
"This is why vulnerabilities are so important," said Kaspersky. "We are against anyone who publishes vulnerabilities because it gives hackers a tool."
This pushes security discussion underground, but doesn't stop the bad guys, just leaves the administrators vulnerable and unaware. Very easy to spread this sort of propaganda however... hopefully it doesn't lead to laws being passed.
Cwm, fjord-bank glyphs vext quiz
By the time someone with enough motivation (read funding) to write an article on a vulnerability does so, the bad guys have already written exploits. Why? For the same reason...they get paid!
The published articles allow the moderately tech savvy user to protect themself. Additionally, it forces the software makers' hand to close the vulnerability faster than if they had no pressure at all. Ultimately, this is our only way of shaming large companies into creating proper software and delaying the releases until they've created a more hardened product.
Yes, hanging out the dirty laundry of vulnerabilities makes it easy for the junior hackers to create something out of nothing, but I'd rather we all know about the problems at the same time than a few sophisticated spam hackers knowing about the problems for an indefinite amount of time.
Never go to sea with two chronometers; take one or three.
Once a patch is released, most businesses will do their own testing before rolling it out into production. This will often take several days. It's not unheard of for a patch to break something, and they don't want that "something" to be one of their mission critical servers or apps. Even if the exploit and patch were released at the same time, it would still take days for many organizations to roll out the patch.
Before you decide that full disclosure is a bad thing, you should ask yourself if you're really better off not knowing about vulnerabilities in the software you're using. What incentive would the makers of this software have to find and fix the vulnerabilites in a timely manner if no one ever put pressure on them? How much testing would they do if no one else did their own vulnerability testing after the software was available?
How many of the "bad guys" do you suppose already know about vulnerabilies long before they're disclosed? If someone is actively exploiting an undisclosed vulnerability, do you think they would create a trojan and get the vendor's attention? The vulnerability that Blaster exploited was introduced in NT4 back in 1996. How many people exploited this vulnerability before it was disclosed? We have no way of knowing.
until even Firefox will be useless, because see they are gaining market share in leaps and bounds, which makes them a target for malware and exploits now. It's only a matter of time until only lynx will be safe.
Closed-source software has the ability to write the patch before disclosing the vulnerability.
I believe in open source 100%, I just think that this argument falls against, not for OSS.
Every time a new exploit travels around the internet, there are posts here saying things like "it's a good thing there was that bug ..." or "it's a good thing they used a relatively inefficient search for new hosts ..." or "it's a good thing it failed to disguise itself in this way ..."
...
If there's a movement towards greater code reuse, sharing of ideas, and debugging help among the people creating these exploits, we won't just see a speed difference -- we'll see a quality difference. We've been relying on security through malware incompetence for a little too long
From TFA...
"This is why vulnerabilities are so important," said Kaspersky. "We are against anyone who publishes vulnerabilities because it gives hackers a tool."
Wouldn't it be more important to be against anyone who creates vulnerabilities rather than those who inform us about them so we can patch or even shut off services if necessary?
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
as long as it is the software company itself who finds the virus...
Microsoft's problem is testing.
When they have a patch, it has to be backported to hundreds of languages, versions, service packs, major releases, then tested on those and finally tested with a variety of applications before they get released.
Linux/OSS tends to break binary compatibility far more often than Linux so it's much easier: you just patch the latest version of the software and [for major projects] backport it to older releases. For example, you don't see Firefox backporting all of the security fixes to earlier versions. If it was Microsoft, they'd have to port them to IE5, IE5.5 and IE6, then test on all the various OSs etc. Firefox can just say 'here is 1.0.1. Upgrade to be safe'. They'd probably offer XPI files for older versions if it was very serve though.
But yes, I agree that OSS will win this battle, but it's not just because of developer numbers. As Joel Spolsky recently said in his interview with salon.com, 90% of Microsoft is basically red-tape.
IntechHosting - Free domain, 2GB, PHP, £4.95/$8.95
I know this has been stated MANY times before in various ways, but if "closed source" truly is effective in preventing malware/hacks/virii simply because the source isn't available for anyone's inspection - then why do we see all the security flaws popping up with IIS? Meanwhile Apache has comparable market-share and usage world-wide on the net as a web server, and it is considered far more secure?
By the same token, Linux and BSD have been chosen as the platform many commercial firewall/router products are based on, despite being open-source. If open-source really had a "disadvantage", security-wise, by the mere fact that it's freely available code - then wouldn't you think companies like Netgear or Cisco/Linksys would steer clear of them in security-related network appliances?
Of course "exploits are expected to come out within hours of disclosure" - but that seems like a pretty general statement to me. Far more people with malicious intent are capable of slapping together some code based on a documented flaw than figuring out a previously undiscovered flaw and exploiting it. If you disclose a Linux or BSD security flaw, I'd say it's just as likely to be exploited quickly as a Windows flaw.
Ethernet socket driver for a simple ethernet card.
Trupmet winsock or similar to bind to the 0x60 DOS socket.
$20 router connected to your DSL to do the PPPoE login, as well as a bit of firewalling to any computers internally.
I would never suggest using a PPPoE utility on the computer when routers are so cheap and useful. Most DSL modems even have the router logic built-in nowadays.