Slashdot Mirror
Gartner Debunks Over-Hyped Security Threats
TPIRman writes "At Gartner's recent IT Security Summit, the research company's analysts identified five over-hyped security concerns. Among the supposed FUD are mobile malware, unsafe VoIP, and cracker-friendly wireless hotspots. Gartner, which has made a name for itself tracking hype, claims that irrational anxiety is holding back technologies that offer benefits greater than their security risks. A Techworld columnist argues, though, that Gartner is sending mixed messages."
And the hotspots less sympathetic to our racist neighbors south of the Mason-Dixon line? These are somehow more secure?
I'm so confused...
From the department of wishful thinking:
Gartner, please debunk yourself as anything other than a PHB-opinion-bolstering old boys club. I battle the Powers That Be here constantly - any proposal is met with "well what does Gartner say about it?". Take your magic quadrant, and... well, you know.
If everyone waits for everyone else's opinion before they can make a decision, no wonder we have organizations with forms to change forms, where Dilbert stories are all true, and employees read Slashdot all day instead of working (because 50% of their projects won't go anywhere, and the other 50% of their projects are pending some approval process or another).
Gartner is just a multiplicity of Dvoraks, all groupthinking what the Next Big Thing is.
I want to delete my account but Slashdot doesn't allow it.
I didn't even know they existed in this world of secretarial computer experts and "computer enthusiasts".
A "Warhol Worm" is a worm that infects all
vulnerable machines on the Internet within 15 minutes.
Warhol must be a new spelling for Windows...
"We are all geniuses when we dream"
- E.M. Cioran
Some Nigerian called me and told me my refrigerator was running. Damn near broke my ankle jogging down the street before I realized I had been had. They used my absence to steal all my cans of Sir Walter Raleigh.
I didn't RTFM but no mobile malware? Just in time for the bluetooth crack mentioned the other day. Par for the course for Gartner..
I've never really understood why people listen to the Gartner report-of-the-week when company's IT department probably have been telling their management THE EXACT SAME THING.
All Gartner does is state the obvious and suggest staying with the status-quo.
("We predict Microsoft software will have an 89% chance of being the dominant desktop software for the next year"... arrrggghhh)
Geesh, I'm going to start sending out my own press releases, set up a secure login web site and charge people for saying obvious things.
("Don't take your toaster into the bathtub with you...98% chance of bad things happening")
Since then, anytime I see "Gartner Group" in print, my brain replaces it with "information prostitutes".
Anonymous Kev
Proudly posting as AC since 1997
(Finally got a dang account in 2004)
Yeh, and thanks to this hype I manage to get dozes of passwords everyday from nearby hotspot :-) Plus, the thousands of insecure corporate networks that use insecure wifi is also certainly a hype. Thanks Gartner, I'll enjoy my free Internet access from anywhere in the city longer :-)
I did not RTA, but it seems to me that your degree of paranoia should be relative to the importance of what you're protecting.
For instance, I don't use wireless on my work network because I have a lot of confidential client information to protect. But at home I like the convenience of being able to roam the house and yard.
I've learned this over the last few years, the people running the show over at Gartner are nothing but world elitists that are more than happy to usher in the New World Order. They have a game plan and there's nothing we can do about it. Consider yourself nothing but cattle because that's what they consider you as. Gartner will be pushing for global RFID tagging programming for humans soon, they'll just say the benefits are similar to the global smallpox vaccine that the united nations forced onto the world earlier in the century. See, we all benefit from the new world order, it will prevent disease and famine..
I'm not down with that. I'm ready for them. I've got some serious shit going on down here. Mack-10, Uzi, flak jacket, and landmines. I'm going down in flames, they can steal my pride, but not my freedom! Fuck the man.
So, if the developers of this new technology develop a system quickly, and with little regard for security, is it really paranoia? Yeah, new technologies are cool, but you HAVE to think about security during the design. It's fine to use things like TFTP for configs when you're doing a proof of concept, but before production release, maybe it be good to take out the unsecured protocols?
-- You can't idiot-proof anything, because they're always coming out with better idiots.
This is actually a good question, especially in light of the security risk question. I think the only way to evaluate benefits of technology is to look at how much a technology reduces the cost of living and/or how much it improves quality of living. For instance, a plow greatly reduced the cost of living for farmers - they now had to spend less time plowing for a given amount of production. The invention of air conditioning increased quality of living quite a bit. It's a little more difficult to measure just what having VOIP, for instance, gives us. VOIP doesn't really reduce the cost of living, and it really doesn't improve the quality of living compared to POTS. Perhaps it does slightly reduce the costs, if VOIP is less expensive than POTS, because that means VOIP users spend less of their "time" paying for communications.
The risks need to be weighed against the benefit though. For instance, there's a greater risk of getting injured by a plow than by digging things by hand, but the benefit is huge. The way I think things should be examined is what is the added risk for added benefit?
My personal assessment is that VOIP or wireless hotspots, or whatever, are not going to improve my life quality over what it is now, nor will they reduce my cost of living significantly. So, if there is *any* added security risk, it's not even in my consideration.
"There are a dozen opinions on a matter until you know the truth. Then there is only one." - CS Lewis (paraprhase)
Over-hyped? Garntner makes their living on hype generation. This is just another attempt at getting more people to subscribe to Gartner reports.
Care to back that up!?
I guess this is the definition of overhyped?
to what Gartner is saying. I have worked in the IT security arena now for almost 5 years and I have noticed this very thing. Security companies, almost without exception, hype the threats to sell their wares. They sell wolf tickets at extremely high prices when 98% of all threats can be mitigated by using good processes and common sense. Remember what Bruce Schneier keeps harping on is true: SECURITY IS A PROCESS, NOT A PRODUCT. Until people get this mantra embedded in their thick skulls, they will continue to be duped by security vendors and their own fears.
Common sense is, unfortunately, not that common. Defense in depth security measures can be achived without spending a lot of money. BUT... your best security is useless if the people behind it are lacking in common sense.
The blog referenced in the slashdot post, by George Ou was very insightful. I don't know how many times I have heard of people implementing the MAC address filtering scheme. I always thought it was a stupid method of securing a network, because it is so simple copy the MAC address. What I had not realized is that I could so easily find out what a specific MAC address is. I had not thought of using a sniffer for this. I always assumed physical security would need to be breached to determine the MAC address of a preffered client. It makes sense though, for the wireless client to access a wireless AP they must broadcast the MAC address.
jc2it "Humor is mankind's greatest blessing." -Mark Twain
[1]
Gartner analysts project that through 2007, the Internet will meet performance and security requirements for all business-to-consumer traffic, 70 percent of business-to-business traffic and more than half of corporate wide area network (WAN) traffic.
[2]
"Enterprises that diligently use security best practices to protect their IP telephony servers should not let these threats derail their plans," Mr. Orans said.
I've been Googling for the last fifteen minutes and couldn't find any reference about the Gartner Group downplaying AIDS.
I know its not quite what the author was talking about, but I really think Phishing is overrated as a security concern. Its certainly spam but its really more of a universal test of who is a moron than a security concern. Just today I was reading an article in BW on company strategies to defeat Phishing. All I could think was that anybody who would fall for those emails is really too stupid to own a computer in the first place.
Gartner debunked something? When did they become objective? This is the same Gartner that i've heard say "and for this consulting engagement price, i'm sure that our findings would favor your solution." Please. Any "research" they've done is obviously either just a mish mash of other people's findings, or it's sponsored by a vendor.
-- http://www.criticalassets.com
This is one of the most irresponsible statements I have ever heard.
1. VoIP is UNSAFE!
While Gartner contends that VoiP is safe because it is protected like all other data on the LAN, they fail to realize or point out that public internet usage of VoIP has now exceeded that of corporate use thanks to the likes of Vonage, SpeakEasy, Time Warner and Verizon who all offer ineternet based VoIP to millioins of subscribers. These subscribers ARE vulnerable to eavesdropping but, more importantly, they are vulnerable to Denial of Service(DoS) attacks. Thanks to VoIP, any script kiddy can turn off your phone service!
2. Wireless access IS UNSAFE!
Not only is there the massive and not entirely obvious risk of unencrypted information being transmitted over the air for anyone to see, there is also the increasing risk of hotspot phishing scams where fake hotspots are setup for collecting account information and passwords. Almost all public hotspots provide or require no encryption what-so-ever and most ISPs do not require encryption for things like POP3 access. But there are many other risks because of wireless as well.
To say that these risks are over hyped or do not exist is irresponsible. The deployment of these technologies should definitely be held up because they are unsafe!
Shouldn't this really be, "Gartner, which has made a name for itself CREATING hype"?
If you're gonna troll, choose a version of linux that was released a little more recently.
GETPKG - Package Management for Slackware
Last year, the only security training my company's Infosec director and manager took was to Gartner's Security Conference, but only because they paid for everything including travel and hotel costs because attendance is always low. When my boss got back, and she's not exactly a security expert by any sense of the word, she said it was horrible. That says a lot coming from someone as ignorant of security as her. She said people would show up, the presentations would start, and over the next hour or so people would file out the doors and never return. She said the rooms ended up being less thant 10% full by the end of the talks because no one wanted to hear them.
This company, which I left recently, based all of their decisions on Gartner's Magic Quadrant. Of course, it was always funny doing the conference calls with their analysts to discuss technologies we were interested in, and they could never go beyond the script they had prepared for the call. When my boss wanted to buy some form of HIDS, they basically did a call on why we should purchase Symantec's new product over Symantec's older product. Nevermind that there were better products from their own literature. The guy couldn't answer any question about the product that wasn't on the literature he'd sent or was reading from. It was depressing, because his opinion mattered more to my management than the opinions of those who would be using and monitoring the software and knew what our requirements were.
Remember the Alamo, and God Bless Texas...
The message is clear: Pay us and we will report anything you want.
Yeah, the the other guy said, Red Hat 7.1 came out in 4-16-2001. Maybe try the latest Fedora Core, that will be the latest Red Hat type distro you can get. After you try that, and still have all the same problems, then you can complain.
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
These are the same people who said the AIDs virus wasn't a big deal and was overhyped.
Thats probably the one thing they did get right. The "AIDS epidemic" is just something researchers made up so they can get hold of a big govn't tit. How can something be an epidemic that is a result of irresponsible behavior? Is early death due to heart attack and stroke called an epidemic? Not really, because the people who suffer these things are completely responsible for their disease.
Sure, some will quote that "juice man" who died pretty early. Well, do a google search on "grapefruit juice drug interactions".
Posting AC because anyone who denounces the AIDS brainwashing seems to get modded troll......
irresponsible behavior?
Like blood transfusions right? You realize that if the government hadn't stepped in to say "hey wait, you might want to check that blood before you go around pumping it into people" we'd still not be testing for diseases, especially with all the blood banks screaming about this or that crisis these days. It's not like the blood tests are free either, and they certainly aren't going to charge people to give blood.
Or hey, saving lives. You give someone CPR, and most of the time, they WILL throw up. Because of the "AIDS epidemic" there are now specially-designed "rescue breathing" mouthpieces to make sure that the people irresponsible enough to save someone's life can do so while coming into contact with any bodily fluids.
Posting AC because anyone who denounces the AIDS brainwashing seems to get modded troll
Gee, wonder why? Maybe because you are a troll, and stupid to boot.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Stop acting like the .002% of the population you're describing are in any way indicative of how AIDS is transmitted.
Yes, there are people who got it without engaging in irresponsible behavior, and that is a tragedy.
But they are VASTLY outnumbered by people who used dirty needles or fucked someone they shouldn't have. THEY are representative, not your ridiculously small example groups.
I could see most of them being over hyped, but as I said over at http://www.whitedust.net/speaks/675/ how can you not overyhype open wireless hotspots?
It's true. It's that bad.
The only one that was in that league of lameness, is Information Security Decisions by Information Security magazine. Another free conference. Horrible. Avoid at all costs.
Aren't they the same group of people who fired someone for suggesting that people switch to Firefox from IE because IE wasn't secure? This was before SP2 was out I believe. Maybe they thought that was hype too... A group that fires someone for speaking the truth makes me question their qualification as consultants.
EvilCON - Made Famous by
I've always thought it was dumb to call a malicious hacker a "cracker". It makes a hash of the whole concept of "hacking", and it just confuses non-techies. Besides, it sounds silly.
Another word we need to get rid of: "FUD". Started out as Sun's way of saying that all criticism of Java was Microsoft propaganda. Then it became a way of dismissing anybody you disagreed with as being dishonest. Now this submitter is using it to mean "unfounded fear". It's always been bad jargon, now it's meaningless jargon! Time to drop it.
One example is VPNs. Seen by most as improving security, and uncrackable due to strong encryption, but poor config and vendor flaws often make them the easiest way in.
Some of the things I've seen, even with large financials, are downright scary. This link gives some examples of the problems: http://www.nta-monitor.com/news/vpn-flaws/VPN-Flaw s-Whitepaper.pdf
...I'm sure they would have said that the need for lifeboats had been overhyped. By greedy lifeboat companies trying to spike sales.
"How to Do Nothing," kids activities, back in print!
That would have been funny if you'd said "to our neighbors in Georga". Instead you repeated and reenforced a racial and ethnic stereotype: That (all) white southerners are all racists. This ruined the joke for a lot of your readers.
I'm inclined to assume - THIS time - that it was ignorance rather than hatred-driven intent that led to this faux pas. But please be aware of how such statements might affect others - and that the same pun is available in a non-painful form.
By the way: If you're living in a subculture where that meaning of "cracker" is more common than the alternative I suggested, the people around you have probably set you up for the same problem with "redneck".
A "redneck" - as used by rednecks themselves - is a person who works outdoors, typically in a rural setting, typically with short hair, typically with ancestry predominantly white, indian, or a mix. It refers to the skin tone - sunburn or red undetne on the back of the neck. It does not have the connotaton of "moron" or "racist", and in fact real rednecks are actually of (at least) the normal range of intelligence (with plenty of high-achievement geniuses) and average far LESS racist than the inhabitants of the coastal urban areas. (For starters, the bulk of the actual rocket scientists on the moon shot were rednecks.)
The "racist moron" stereotype was initially promulgated by the eastern coal companies during the start of unionization. (They also made a big point of how these people were allegedly "mongrels", i.e. racially mixed - European, Indian, and African.) It was no accident that Darrow and Scopes were both hired by a mine manager to break the local religion, which supported the unions and provided a place where workers could meet to organize with little fear of attack by the companies' mercenary thugs. The remains of this propaganda campaign still hang over in the culture of US eastern cities and thus in the US media.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
If they've had valid opinions, I haven't heard them. So if Gardner pans something, I'll consider that it's plausibly something good.
OTOH, I must admit that most of what they talk about is just of zero interest to me whether what they claim is right or wrong...so in those cases I just assume they are wrong. It hasn't hurt me yet. (N.B.: Presume does not me that I believe something, merely that I consider it more probable than not.)
I think we've pushed this "anyone can grow up to be president" thing too far.
Hope to see history repeating at a larger scale...
"It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
Don't feed the troll, that is obviously a canned comment.
It is important to honesty state the risks of new technology.
True, having an honest assessment may delay rollout of new technologies and may cause others to be abandoned because the vendors think the payoff won't be as great if they expect to have only 10 million customers instead of 20 million in the time before the tech is obsoleted, but in the long run this is better than the technological equivalent thalidomide.
The bottom line:
If risks are properly understood, those who can afford to take the risks will use the technology, those who can't won't. If there is not enough of a market, the vendors may spend their money on other, more profitable ventures.
If risks are not properly understood, then people will, in ignorance, take risks they would never knowingly take.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The problem with all of these reports is that someone in senior management will read "wireless LAN insecurity overhyped" without understanding the context, go down the local PC store, buy some consumer wireless router, plug it into the network and when the security guys complain, they point to the Gartner article.
We get this everyday at work. What (at least our) senior management guys don't understand is that it's possible to implement virtually anything, but there's a stupid way of doing it (with big security holes and without enterprise management in mind) and an intelligent, more secure (and yes, let's face it, probably more expensive) way. But for an organisation with nearly 15,000 PCs, it's hard to manage those 200 Linksys wireless routers individually...
It's tabloid headline grabbing, that's all. Nothing new here.
Rant over.
VoIP or, more specifically, packetized voice data, has allowed telcos to internally cut costs, since they don't have to have one physical wire/radio-channel or fixed-fraction-thereof to carry a voice channel. This has not only brought the costs of domestic long-distance down to the $2/hr range before taxes, but it's also allowed "clear as a bell" long distance.
VoIP has allowed some customers to have free worldwide (where permitted by law) long distance between VoIP-equipped endpoints, and very low-cost (<$1/hr before taxes) long distance. This means you can talk to your son in Iraq or your family overseas a lot more often and for a lot longer than in "the old days," law permitting.
--
Note - some countries are VoIP hostile because it cuts into revenue for the local telco monopoly.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
With broken web browsers and email clients, it's very possible to get an email "from" your bank, that says "click here" and have it take you to an SSL web site, and have the url of the web site appear to be www.yourbank.com/login.php.
k p/2ndchancecarloan.html*] for details.
The average person who is told "verify the URL" and "look for the security lock" will fall for this once.
Even better if the email does not sound alarming and does not specifically ask for a login. For example:
-------
From: carloans@yourbank.com
Subject: Need cash? Let us give you a loan on your existing car
Body:
Yourbank is proud to announce our "second chance car loan" at only 4% interest if you act before June 30, 2005. Click here [www.yourbank.com%00@northkoreagovernmenthackers.
-------
*broken browsers will show this as "www.yourbank.com."
Then, from that page, have buttons like "check your balance" and such that direct you to a fake login screen, that in turn behind the scenes actually gets the data from your real bank.
Such a scheme would fool a lot of people in the few hours before it was shut down.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
fucked someone they shouldn't have.
Like married people whose spouses turn out to be unfaithful.
Just because the majority of people with the disease got it because of their behavior is no reason to continue to tar everyone's reputation. You wouldn't go around calling Blizzard copyright infringers because they use bittorrent for distributing patches, would you?
If I have been able to see further than others, it is because I bought a pair of binoculars.
"It's overhyped...., but, to be safe, do this, and this, and this, and this, and this, and this........"
Overhyped, huh...yeah ok.
I don't much care for crackers. I would prefer to find a doughnut-friendly hotspot. MMMMMMMMMMM doughnuts.
Damn! I've been captcha'd
Anything Gartner (or any other analyst company) says is bought and paid for by someone.
Ignore them the same way and for the same reasons that you don't watch the shopping channels: They are peddling over-priced garbage that you don't need.
I had forgotten how much cooler teenagers look when they are smoking. Oh, wait
Are you playing Devil's advocate or are you a Gartner shill? Do you know what a Denial of Serice(DoS) attack is? Slashdot is responsible for several of them per day. Do you know how to prevent or defend against them? Microsoft, Yahoo and many others have yet to figure out how to effectively defend against, let alone prevent, a DoS attack. Post your IP address here and then try to use Vonage, you will see that your phone service has been "turned off" because all of your bandwidth will be consumed by other traffic, leaving none for your VoIP. Put your money where your mouth is and post your real IP.
How about when the next Outlook virus strikes and your ISP's pipes are tied up with "I love you" or "Melissa" esque traffic. Do you think your Vonage service will be working then? I sure hope that you don't need it to call 911!
You are probably one of those people that believes that switched networks are more secure because "sniffers are ineffective in switched networks". Those same people claim that this is fact because Cisco says or use to say so. For those that don't know any better, switches offer no such security.
As for hotspots, it is true that most people do not need general browsing to be encrypted. But, you assume that browsing is all that most people do via public hotspots. The original post mentioned POP3 specifically. How many people, do you think, use the same password for their POP3 account that they do for their other accounts?
How many people, do you think, use wireless hotspots to access their corporate network resources? A very large number of them do. Did you know that, by default, Exchange 2000's Outlook Web Access doesn't even use SSL for the login much less the email data that contains who knows what confidential information?
The the exploitation of these services is trivial and the risks are very real. Just because they have not YET been widely exploited does not mean that they won't be. Furthermore, Gartner and or you claiming that the risks are overhyped will not prevent it either. It is simple economics. As soon as there is sufficient economic advantage in the exploits to justify the risk of prosecution, the exploitation of these services WILL be common place.
What about Iraq? Oh, wait - we made sure that Iraq would be a threat, after creating its myth. Dreams really do come true, with a $2.5T budget!
--
make install -not war
Wireless access points are pretty easy to create a man in the middle attack. Want to know how? Create an access point that mimics a corporate wireless access point that will take a user log in and redirect them to the real access point they are trying to connect to and pass their MAC and login to the next access point. Most people won't check the authenticity of their access point so as long as they can log in and get to the network, they won't think a single thing is different.
You now have their login, approved MAC address, and their encryption key. I know this is a bit simplified, but let me say this, in no certain way should your wireless access points EVER be trusted. If you allow APs to get into your internal network, they are like hanging a bunch of open ethernet ports on the side of your building, regardless of how "secure" you may think they are.
I'm not saying people should not use wireless, but rather, that they should at least be aware of the security risks that it presents.
zosxavius photography
this consultant is the same fellow that will be reviewing our product later on in the year. it's not that out company is doing anything underhanded, that's just the way it works with them.
A public hotspot needs some sort of encryption with a guest. You may not be doing anything important, but what most people do on the web is check email. A login, or an important bit of info can get grabbed.
The only reason this is not an issue is that there aren't a lot of crooks taking advantage of it. But let this become a widespread utility of business by people thinking "the security issue is overhyped", and then you only have people reacting after they have been badly stung.
I can easily see a lot of corporate security as over-hyped. They could get rid of usernames and passwords and IP addresses on most intranets. But the traffic between the network and the rest of the world should be encrypted. They shouldn't make it easy for "man in the middle" attacks and packet sniffers or they will create a new fertile ground for crooks. Just ignore the issue, make it part of your infrastructure and then wait for the parasites.
>>"ad space available -- low rates!!!"