Slashdot Mirror
Gartner Debunks Over-Hyped Security Threats
TPIRman writes "At Gartner's recent IT Security Summit, the research company's analysts identified five over-hyped security concerns. Among the supposed FUD are mobile malware, unsafe VoIP, and cracker-friendly wireless hotspots. Gartner, which has made a name for itself tracking hype, claims that irrational anxiety is holding back technologies that offer benefits greater than their security risks. A Techworld columnist argues, though, that Gartner is sending mixed messages."
Check out our favourite Sex Offender!!!
http://homepage.mac.com/aleksivic/brian.html
And the hotspots less sympathetic to our racist neighbors south of the Mason-Dixon line? These are somehow more secure?
I'm so confused...
That I got this FP in!
From the department of wishful thinking:
Gartner, please debunk yourself as anything other than a PHB-opinion-bolstering old boys club. I battle the Powers That Be here constantly - any proposal is met with "well what does Gartner say about it?". Take your magic quadrant, and... well, you know.
If everyone waits for everyone else's opinion before they can make a decision, no wonder we have organizations with forms to change forms, where Dilbert stories are all true, and employees read Slashdot all day instead of working (because 50% of their projects won't go anywhere, and the other 50% of their projects are pending some approval process or another).
Gartner is just a multiplicity of Dvoraks, all groupthinking what the Next Big Thing is.
I want to delete my account but Slashdot doesn't allow it.
I added a Linux partition to my WindowsXP box, and installed Redhat 7.1.
When I try to close one window in Mozilla, ALL of my open mozilla windows
crash. When I try to move my mouse in KDE, it freezes up and I have to
telnet into the machine from my XP box to shut it down.
I heard Linux was more stable and secure, but how come I'm having these
problems? Also I can't run any Windows programs in wine because wine
can't run them for some reason. I paid for the Redhat Pro box, which cost
me almost 200 dollars, and the redhat tech support was very feeble and
wouldn't answer any questions other then the most basic. Redhat did send
me a hat for buying the Pro version, but I'll have to toss it because I
wouldn't want anyone to know that I was foolish enough to pay for a linux
distro..
With all these linux problems, how could those promoting linux say it is
more stable then windows? It isn't from my experience, and the money I
wasted on Redhat 7.1 could've been spent on a date. My question is, why
would people use FUD to promote something that doesn't work on the
desktop?
Thankfully I used partition magic to reformat my linux partition and now
my Windows XP OS does everything I want. Common sense tells me there is a
reason why people don't use linux, and it's not because microsoft is
"evil". I've never had any problems with a windows OS crashing (mostly
because I used Win NT 4, Win2k and now XP).
Why do you guys lie so much about Linux? It seems like a fun hobbiest
toy, but for real work, XP is the answer. Maybe if your claims about
stability were true, more people would use linux.
I didn't even know they existed in this world of secretarial computer experts and "computer enthusiasts".
A "Warhol Worm" is a worm that infects all
vulnerable machines on the Internet within 15 minutes.
Warhol must be a new spelling for Windows...
"We are all geniuses when we dream"
- E.M. Cioran
I'm sorry but Gartner? These are the same people who said the AIDs virus wasn't a big deal and was overhyped. (Before I get modded troll, it really is true)
--
WHO ATE MY BREAKFAST PANTS?
Some Nigerian called me and told me my refrigerator was running. Damn near broke my ankle jogging down the street before I realized I had been had. They used my absence to steal all my cans of Sir Walter Raleigh.
I didn't RTFM but no mobile malware? Just in time for the bluetooth crack mentioned the other day. Par for the course for Gartner..
I've never really understood why people listen to the Gartner report-of-the-week when company's IT department probably have been telling their management THE EXACT SAME THING.
All Gartner does is state the obvious and suggest staying with the status-quo.
("We predict Microsoft software will have an 89% chance of being the dominant desktop software for the next year"... arrrggghhh)
Geesh, I'm going to start sending out my own press releases, set up a secure login web site and charge people for saying obvious things.
("Don't take your toaster into the bathtub with you...98% chance of bad things happening")
Actually, I meant that rhetorically. Because I am your God (what else is new) I and I alone will tell you what you will be doing!
You will be jacking off into your own fucking face! Now get to work, prole, before I seal your rectum shut with my mighty God-laser.
Yeh, and thanks to this hype I manage to get dozes of passwords everyday from nearby hotspot :-) Plus, the thousands of insecure corporate networks that use insecure wifi is also certainly a hype. Thanks Gartner, I'll enjoy my free Internet access from anywhere in the city longer :-)
I did not RTA, but it seems to me that your degree of paranoia should be relative to the importance of what you're protecting.
For instance, I don't use wireless on my work network because I have a lot of confidential client information to protect. But at home I like the convenience of being able to roam the house and yard.
I've learned this over the last few years, the people running the show over at Gartner are nothing but world elitists that are more than happy to usher in the New World Order. They have a game plan and there's nothing we can do about it. Consider yourself nothing but cattle because that's what they consider you as. Gartner will be pushing for global RFID tagging programming for humans soon, they'll just say the benefits are similar to the global smallpox vaccine that the united nations forced onto the world earlier in the century. See, we all benefit from the new world order, it will prevent disease and famine..
I'm not down with that. I'm ready for them. I've got some serious shit going on down here. Mack-10, Uzi, flak jacket, and landmines. I'm going down in flames, they can steal my pride, but not my freedom! Fuck the man.
So, if the developers of this new technology develop a system quickly, and with little regard for security, is it really paranoia? Yeah, new technologies are cool, but you HAVE to think about security during the design. It's fine to use things like TFTP for configs when you're doing a proof of concept, but before production release, maybe it be good to take out the unsecured protocols?
-- You can't idiot-proof anything, because they're always coming out with better idiots.
This is actually a good question, especially in light of the security risk question. I think the only way to evaluate benefits of technology is to look at how much a technology reduces the cost of living and/or how much it improves quality of living. For instance, a plow greatly reduced the cost of living for farmers - they now had to spend less time plowing for a given amount of production. The invention of air conditioning increased quality of living quite a bit. It's a little more difficult to measure just what having VOIP, for instance, gives us. VOIP doesn't really reduce the cost of living, and it really doesn't improve the quality of living compared to POTS. Perhaps it does slightly reduce the costs, if VOIP is less expensive than POTS, because that means VOIP users spend less of their "time" paying for communications.
The risks need to be weighed against the benefit though. For instance, there's a greater risk of getting injured by a plow than by digging things by hand, but the benefit is huge. The way I think things should be examined is what is the added risk for added benefit?
My personal assessment is that VOIP or wireless hotspots, or whatever, are not going to improve my life quality over what it is now, nor will they reduce my cost of living significantly. So, if there is *any* added security risk, it's not even in my consideration.
"There are a dozen opinions on a matter until you know the truth. Then there is only one." - CS Lewis (paraprhase)
Over-hyped? Garntner makes their living on hype generation. This is just another attempt at getting more people to subscribe to Gartner reports.
I guess this is the definition of overhyped?
to what Gartner is saying. I have worked in the IT security arena now for almost 5 years and I have noticed this very thing. Security companies, almost without exception, hype the threats to sell their wares. They sell wolf tickets at extremely high prices when 98% of all threats can be mitigated by using good processes and common sense. Remember what Bruce Schneier keeps harping on is true: SECURITY IS A PROCESS, NOT A PRODUCT. Until people get this mantra embedded in their thick skulls, they will continue to be duped by security vendors and their own fears.
Common sense is, unfortunately, not that common. Defense in depth security measures can be achived without spending a lot of money. BUT... your best security is useless if the people behind it are lacking in common sense.
The blog referenced in the slashdot post, by George Ou was very insightful. I don't know how many times I have heard of people implementing the MAC address filtering scheme. I always thought it was a stupid method of securing a network, because it is so simple copy the MAC address. What I had not realized is that I could so easily find out what a specific MAC address is. I had not thought of using a sniffer for this. I always assumed physical security would need to be breached to determine the MAC address of a preffered client. It makes sense though, for the wireless client to access a wireless AP they must broadcast the MAC address.
jc2it "Humor is mankind's greatest blessing." -Mark Twain
[1]
Gartner analysts project that through 2007, the Internet will meet performance and security requirements for all business-to-consumer traffic, 70 percent of business-to-business traffic and more than half of corporate wide area network (WAN) traffic.
[2]
"Enterprises that diligently use security best practices to protect their IP telephony servers should not let these threats derail their plans," Mr. Orans said.
I've been Googling for the last fifteen minutes and couldn't find any reference about the Gartner Group downplaying AIDS.
I know its not quite what the author was talking about, but I really think Phishing is overrated as a security concern. Its certainly spam but its really more of a universal test of who is a moron than a security concern. Just today I was reading an article in BW on company strategies to defeat Phishing. All I could think was that anybody who would fall for those emails is really too stupid to own a computer in the first place.
Gartner debunked something? When did they become objective? This is the same Gartner that i've heard say "and for this consulting engagement price, i'm sure that our findings would favor your solution." Please. Any "research" they've done is obviously either just a mish mash of other people's findings, or it's sponsored by a vendor.
-- http://www.criticalassets.com
This is one of the most irresponsible statements I have ever heard.
1. VoIP is UNSAFE!
While Gartner contends that VoiP is safe because it is protected like all other data on the LAN, they fail to realize or point out that public internet usage of VoIP has now exceeded that of corporate use thanks to the likes of Vonage, SpeakEasy, Time Warner and Verizon who all offer ineternet based VoIP to millioins of subscribers. These subscribers ARE vulnerable to eavesdropping but, more importantly, they are vulnerable to Denial of Service(DoS) attacks. Thanks to VoIP, any script kiddy can turn off your phone service!
2. Wireless access IS UNSAFE!
Not only is there the massive and not entirely obvious risk of unencrypted information being transmitted over the air for anyone to see, there is also the increasing risk of hotspot phishing scams where fake hotspots are setup for collecting account information and passwords. Almost all public hotspots provide or require no encryption what-so-ever and most ISPs do not require encryption for things like POP3 access. But there are many other risks because of wireless as well.
To say that these risks are over hyped or do not exist is irresponsible. The deployment of these technologies should definitely be held up because they are unsafe!
Shouldn't this really be, "Gartner, which has made a name for itself CREATING hype"?
Why do SlashDot editors allow posts that advertise commercial firms? Especially Gartner, Microsoft's concubine.
While the duct tape salesmen who sell the crappy antidote to these problems using addictive business models deserve to have the fearmongering marketing debunked...
That doesn`t make the problems any less real!
You could say the way to get rid of the "antivirus" (dos known bad cleanup tool) and "firewall" (network traffic mutilating packet filter) people is for the people who sell the products mentioned in the article to get their act together on security. Having people claim everything is okay because we there a only of few known cases of things going wrong isn`t going to help with that.
VOIP does mean that a ddos attack shuts your phones down. How bad that risk is depends on your business of course. Its just that pots telco`s offer a bit (not complete!) higher reliability in the face of high network load or malicious intent. And when you start using different vendors achieving privacy protection through encryption becomes less and less easy. So when Gartner argues that VOIP isn`t easy to listen in to because it requires direct access to the network I wonder, did they ever rapport on "the insider threat"? If they didn`t that's a big oversight, and if they did and ignored their own rapport here... well that's bad to.
Also I don`t know people who argue that regulatory compliancy is equal to being secure. I argue that having lawyers tell PHB`s that not being compliant might result in huge fiancial damages once sued
And
Having bofhs tell PHB`s that not being secure might result in huge financial damages once hacked... might help more towards security than having just the last one.
Also the idea that mobile devices need to have always on connection to be vulnerable to malware is far fetched.
"Gartner analysts project that through 2007, the Internet will meet performance and security requirements for all business-to-consumer traffic, 70 percent of business-to-business traffic and more than half of corporate wide area network (WAN) traffic.."
Well that what it boils down to. If you don`t keep asking how secure stuff is security wont get better will it? Anyway, what options do consumers have, dial in to BBS systems for their shopping?Last year, the only security training my company's Infosec director and manager took was to Gartner's Security Conference, but only because they paid for everything including travel and hotel costs because attendance is always low. When my boss got back, and she's not exactly a security expert by any sense of the word, she said it was horrible. That says a lot coming from someone as ignorant of security as her. She said people would show up, the presentations would start, and over the next hour or so people would file out the doors and never return. She said the rooms ended up being less thant 10% full by the end of the talks because no one wanted to hear them.
This company, which I left recently, based all of their decisions on Gartner's Magic Quadrant. Of course, it was always funny doing the conference calls with their analysts to discuss technologies we were interested in, and they could never go beyond the script they had prepared for the call. When my boss wanted to buy some form of HIDS, they basically did a call on why we should purchase Symantec's new product over Symantec's older product. Nevermind that there were better products from their own literature. The guy couldn't answer any question about the product that wasn't on the literature he'd sent or was reading from. It was depressing, because his opinion mattered more to my management than the opinions of those who would be using and monitoring the software and knew what our requirements were.
Remember the Alamo, and God Bless Texas...
The message is clear: Pay us and we will report anything you want.
I could see most of them being over hyped, but as I said over at http://www.whitedust.net/speaks/675/ how can you not overyhype open wireless hotspots?
It's true. It's that bad.
The only one that was in that league of lameness, is Information Security Decisions by Information Security magazine. Another free conference. Horrible. Avoid at all costs.
Aren't they the same group of people who fired someone for suggesting that people switch to Firefox from IE because IE wasn't secure? This was before SP2 was out I believe. Maybe they thought that was hype too... A group that fires someone for speaking the truth makes me question their qualification as consultants.
EvilCON - Made Famous by
I've always thought it was dumb to call a malicious hacker a "cracker". It makes a hash of the whole concept of "hacking", and it just confuses non-techies. Besides, it sounds silly.
Another word we need to get rid of: "FUD". Started out as Sun's way of saying that all criticism of Java was Microsoft propaganda. Then it became a way of dismissing anybody you disagreed with as being dishonest. Now this submitter is using it to mean "unfounded fear". It's always been bad jargon, now it's meaningless jargon! Time to drop it.
One example is VPNs. Seen by most as improving security, and uncrackable due to strong encryption, but poor config and vendor flaws often make them the easiest way in.
Some of the things I've seen, even with large financials, are downright scary. This link gives some examples of the problems: http://www.nta-monitor.com/news/vpn-flaws/VPN-Flaw s-Whitepaper.pdf
...I'm sure they would have said that the need for lifeboats had been overhyped. By greedy lifeboat companies trying to spike sales.
"How to Do Nothing," kids activities, back in print!
That would have been funny if you'd said "to our neighbors in Georga". Instead you repeated and reenforced a racial and ethnic stereotype: That (all) white southerners are all racists. This ruined the joke for a lot of your readers.
I'm inclined to assume - THIS time - that it was ignorance rather than hatred-driven intent that led to this faux pas. But please be aware of how such statements might affect others - and that the same pun is available in a non-painful form.
By the way: If you're living in a subculture where that meaning of "cracker" is more common than the alternative I suggested, the people around you have probably set you up for the same problem with "redneck".
A "redneck" - as used by rednecks themselves - is a person who works outdoors, typically in a rural setting, typically with short hair, typically with ancestry predominantly white, indian, or a mix. It refers to the skin tone - sunburn or red undetne on the back of the neck. It does not have the connotaton of "moron" or "racist", and in fact real rednecks are actually of (at least) the normal range of intelligence (with plenty of high-achievement geniuses) and average far LESS racist than the inhabitants of the coastal urban areas. (For starters, the bulk of the actual rocket scientists on the moon shot were rednecks.)
The "racist moron" stereotype was initially promulgated by the eastern coal companies during the start of unionization. (They also made a big point of how these people were allegedly "mongrels", i.e. racially mixed - European, Indian, and African.) It was no accident that Darrow and Scopes were both hired by a mine manager to break the local religion, which supported the unions and provided a place where workers could meet to organize with little fear of attack by the companies' mercenary thugs. The remains of this propaganda campaign still hang over in the culture of US eastern cities and thus in the US media.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
If they've had valid opinions, I haven't heard them. So if Gardner pans something, I'll consider that it's plausibly something good.
OTOH, I must admit that most of what they talk about is just of zero interest to me whether what they claim is right or wrong...so in those cases I just assume they are wrong. It hasn't hurt me yet. (N.B.: Presume does not me that I believe something, merely that I consider it more probable than not.)
I think we've pushed this "anyone can grow up to be president" thing too far.
It is important to honesty state the risks of new technology.
True, having an honest assessment may delay rollout of new technologies and may cause others to be abandoned because the vendors think the payoff won't be as great if they expect to have only 10 million customers instead of 20 million in the time before the tech is obsoleted, but in the long run this is better than the technological equivalent thalidomide.
The bottom line:
If risks are properly understood, those who can afford to take the risks will use the technology, those who can't won't. If there is not enough of a market, the vendors may spend their money on other, more profitable ventures.
If risks are not properly understood, then people will, in ignorance, take risks they would never knowingly take.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The problem with all of these reports is that someone in senior management will read "wireless LAN insecurity overhyped" without understanding the context, go down the local PC store, buy some consumer wireless router, plug it into the network and when the security guys complain, they point to the Gartner article.
We get this everyday at work. What (at least our) senior management guys don't understand is that it's possible to implement virtually anything, but there's a stupid way of doing it (with big security holes and without enterprise management in mind) and an intelligent, more secure (and yes, let's face it, probably more expensive) way. But for an organisation with nearly 15,000 PCs, it's hard to manage those 200 Linksys wireless routers individually...
It's tabloid headline grabbing, that's all. Nothing new here.
Rant over.
VoIP or, more specifically, packetized voice data, has allowed telcos to internally cut costs, since they don't have to have one physical wire/radio-channel or fixed-fraction-thereof to carry a voice channel. This has not only brought the costs of domestic long-distance down to the $2/hr range before taxes, but it's also allowed "clear as a bell" long distance.
VoIP has allowed some customers to have free worldwide (where permitted by law) long distance between VoIP-equipped endpoints, and very low-cost (<$1/hr before taxes) long distance. This means you can talk to your son in Iraq or your family overseas a lot more often and for a lot longer than in "the old days," law permitting.
--
Note - some countries are VoIP hostile because it cuts into revenue for the local telco monopoly.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
With broken web browsers and email clients, it's very possible to get an email "from" your bank, that says "click here" and have it take you to an SSL web site, and have the url of the web site appear to be www.yourbank.com/login.php.
k p/2ndchancecarloan.html*] for details.
The average person who is told "verify the URL" and "look for the security lock" will fall for this once.
Even better if the email does not sound alarming and does not specifically ask for a login. For example:
-------
From: carloans@yourbank.com
Subject: Need cash? Let us give you a loan on your existing car
Body:
Yourbank is proud to announce our "second chance car loan" at only 4% interest if you act before June 30, 2005. Click here [www.yourbank.com%00@northkoreagovernmenthackers.
-------
*broken browsers will show this as "www.yourbank.com."
Then, from that page, have buttons like "check your balance" and such that direct you to a fake login screen, that in turn behind the scenes actually gets the data from your real bank.
Such a scheme would fool a lot of people in the few hours before it was shut down.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
"It's overhyped...., but, to be safe, do this, and this, and this, and this, and this, and this........"
Overhyped, huh...yeah ok.
I don't much care for crackers. I would prefer to find a doughnut-friendly hotspot. MMMMMMMMMMM doughnuts.
Damn! I've been captcha'd
Anything Gartner (or any other analyst company) says is bought and paid for by someone.
Ignore them the same way and for the same reasons that you don't watch the shopping channels: They are peddling over-priced garbage that you don't need.
I had forgotten how much cooler teenagers look when they are smoking. Oh, wait
Are you playing Devil's advocate or are you a Gartner shill? Do you know what a Denial of Serice(DoS) attack is? Slashdot is responsible for several of them per day. Do you know how to prevent or defend against them? Microsoft, Yahoo and many others have yet to figure out how to effectively defend against, let alone prevent, a DoS attack. Post your IP address here and then try to use Vonage, you will see that your phone service has been "turned off" because all of your bandwidth will be consumed by other traffic, leaving none for your VoIP. Put your money where your mouth is and post your real IP.
How about when the next Outlook virus strikes and your ISP's pipes are tied up with "I love you" or "Melissa" esque traffic. Do you think your Vonage service will be working then? I sure hope that you don't need it to call 911!
You are probably one of those people that believes that switched networks are more secure because "sniffers are ineffective in switched networks". Those same people claim that this is fact because Cisco says or use to say so. For those that don't know any better, switches offer no such security.
As for hotspots, it is true that most people do not need general browsing to be encrypted. But, you assume that browsing is all that most people do via public hotspots. The original post mentioned POP3 specifically. How many people, do you think, use the same password for their POP3 account that they do for their other accounts?
How many people, do you think, use wireless hotspots to access their corporate network resources? A very large number of them do. Did you know that, by default, Exchange 2000's Outlook Web Access doesn't even use SSL for the login much less the email data that contains who knows what confidential information?
The the exploitation of these services is trivial and the risks are very real. Just because they have not YET been widely exploited does not mean that they won't be. Furthermore, Gartner and or you claiming that the risks are overhyped will not prevent it either. It is simple economics. As soon as there is sufficient economic advantage in the exploits to justify the risk of prosecution, the exploitation of these services WILL be common place.
What about Iraq? Oh, wait - we made sure that Iraq would be a threat, after creating its myth. Dreams really do come true, with a $2.5T budget!
--
make install -not war
Wireless access points are pretty easy to create a man in the middle attack. Want to know how? Create an access point that mimics a corporate wireless access point that will take a user log in and redirect them to the real access point they are trying to connect to and pass their MAC and login to the next access point. Most people won't check the authenticity of their access point so as long as they can log in and get to the network, they won't think a single thing is different.
You now have their login, approved MAC address, and their encryption key. I know this is a bit simplified, but let me say this, in no certain way should your wireless access points EVER be trusted. If you allow APs to get into your internal network, they are like hanging a bunch of open ethernet ports on the side of your building, regardless of how "secure" you may think they are.
I'm not saying people should not use wireless, but rather, that they should at least be aware of the security risks that it presents.
zosxavius photography
this consultant is the same fellow that will be reviewing our product later on in the year. it's not that out company is doing anything underhanded, that's just the way it works with them.
A public hotspot needs some sort of encryption with a guest. You may not be doing anything important, but what most people do on the web is check email. A login, or an important bit of info can get grabbed.
The only reason this is not an issue is that there aren't a lot of crooks taking advantage of it. But let this become a widespread utility of business by people thinking "the security issue is overhyped", and then you only have people reacting after they have been badly stung.
I can easily see a lot of corporate security as over-hyped. They could get rid of usernames and passwords and IP addresses on most intranets. But the traffic between the network and the rest of the world should be encrypted. They shouldn't make it easy for "man in the middle" attacks and packet sniffers or they will create a new fertile ground for crooks. Just ignore the issue, make it part of your infrastructure and then wait for the parasites.
>>"ad space available -- low rates!!!"