Computer Security Still Totally Inadequate

Several news sources are running articles detailing the lack of computer security on all platforms. Symantec foretells a dark future for Firefox and Mac users describing their security as a "false paradise". Kernel developer and Red Hat fellow, Allan Cox stated in his recent interview with O'Reilly that "even the best systems today are totally inadequate". He goes on to say that "We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours," Cox said. "In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."

Symantec Security Software

[orangeguru]

With security suites like that you don't need any hackers or viruses. Bloated Symantic software makes your computer unusable and unstable anyway ...

the best systems today are totally inadequate-not

[bcrowell]

I first heard this ca. 1990: if your system is connected to the internet, and it hasn't been hacked yet, it will be soon. Still hasn't happened to me.

We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours
Well, actually, I wonder what percentage of PCs are currently infected with malware? I'd guess way more than 50%, and the world hasn't come to an end. Actually, it would probably be a good thing if the hypothetical disk-erasing worm would come along -- it would probably prompt a lot of dumb users to make backups, take some basic security precautions, and maybe consider switching from MS-ware to more secure OSS.

What does this have to do with flammable gas?

[bigtallmofo]

This is why having a Hydrogenous network and/or having a society where no one platform dominates.

I'm guessing hydrogenous is not the word you were looking for. Assuming of course that you weren't proposing that we base our networks on hydrogen.

I'm going to instead assume you meant heterogeneous which is something often proposed on Slashdot and grants the proposer instant karma as people rush to mod them up.

The only problem is having a hetereogeneous environment increases your support costs whether you have a security incursion or not. How many people are security experts in Mac, Windows, Linux, BSD, Solaris, FreeBSD and CPM? Not many. Which means that for every environment your IT staff supports, you need additional admins.

"Security Professionals" are Retards

[Uhlek]

Yet further proof that almost all "security professionals" have about as much intelligence as a gnat.

I'm really tired of mediocre systems guys passing a CISSP exam (thousand miles wide, quarter inch deep) and being declared experts on securing things they don't even understand to begin with.

For one, quantative analysis of the numbers of vulnerabilities doesn't equate to determining if a system is more or less secure than another. It's also meaningless if you don't compare how the systems are configured in what kinds of environments. Even simple things like Linksys routers greatly contribute to additional security on a personal computer (Windows or otherwise).

From the article: "Symantec chronicled 1,862 new vulnerabilities during 1H2005 - an average of 10 new flaws a day - 73 per cent of which it categorises as easily exploitable. The time between the disclosure of a vulnerability and the release of an associated exploit was just six days. Half (59 per cent) of vulnerabilities were associated with web application technologies."

Can anyone tell me where in that statement is a shred of useful, meaningful information? Of course not. Because there is none.

Insofar as Firefox and and OS X being "in for surprises." Sure, Firefox is an evolving application, bugs will be introduced and squashed, and later on more will be introduced. Some of those will be security vulnerabilities. Any application who's sole job is to pull data from untrusted sources and parse it will be vulnerable to security problems resulting from buggy code. Period. End of sentence.

OS X ... please. The "it's not as popular" theory as to the lack of OS X viri and worms has been beaten to death over and over. Simple fact is the difficulty would make the first creator of an OS X virus or worm famous beyond anything another Windows worm would cause -- even if the spread wouldn't be nearly as bad. And yet, here we are, five years after the release, and not a single virus or worm that directly affects the operating system. Surprised?

Despite that incentive, it has yet to be done. A rootkit is being touted as "proof of OS X's insecurity." Give me a break. If you can trick a user to type in their admin password with an application, it doesn't matter if you're running Windows, Linux, BSD, OS X, HP-UX, or Solaris -- you're going to get owned.

Jesus, I hate security people. I just want to choke them.

Computer viruses like their biological counterpart

[Yossarian45793]

It should come as no surprise that computer viruses and worms tend to aim for control rather than destruction. This exactly parallels what happens with biological viruses and worms. A virus that destroys its host cannot propogate very far before becoming extinct. Viruses that damage their host but leave it good enough condition to continue transmitting it to other hosts are much more successful. The most successful viruses of all are those that go largely undetected and manage to spread to a majority of the population (think of sexually-transmitted diseases such as HPV).

Register.uk's publishing Symantec's adware

[DECS]

Symantec is publishing a self serving press release full of intentional lies as a news item, and idiot news outlets like the Register are publishing it without criticism.

Shame on both!

How about reporting:

"Symantic issued an official sensationist panic warning to Mac users who have not bought their product. It is unclear how Symantec's products will secure the Mac platform from exploits, since they do nothing to secure a system from a user with physical access. The company may also consider selling volcano insurance and eating babies"

From the actual Register story:

"While the number of vendor-confirmed vulnerabilities in OS X has remained relatively constant during the last two reporting periods [12 months], Symantec predicts this could change in the future. Symantec's analysis on a rootkit (OSX/Weapox) reveals it is designed to take advantage of OS X. This particular trojan demonstrates that as OS X increases in popularity, so too will the scrutiny it receives from potential attackers."

So Symantec:
- is shy to report that there are no exploited vulnerabilities
- analyzed a OS X root kit and determined it ran on OS X
- thinks the adware/malware market, driven by demand for easy to zombify PCs, is somehow poised to launch specialized attacks on inherently secured systems via non-replicating trojans that require root access to install.

Which is worse, Symantic's bullshit misinformation, or the Register's uncritical dissemination?

And that is why you'll continue to see these.

[khasim]

The "experts" writing these "articles" will be out of a job as security increases.

From TFA:

According to the latest edition of Symantec's Internet Security Threat Report, 25 vulnerabilities were disclosed for Mozilla browsers and 13 for Microsoft Internet Explorer in the first half of 2005.

And that statistic means absolutely nothing. Simply counting the vulnerability ANNOUNCEMENTS does not tell you anything about the vulnerabilities themselves.

Is a vulnerability that causes FireFox to crash the same as a vulnerability that automatically installs an ActiveX control? Nope.

Graham Pinkney, head of threat intelligence EMEA at Symantec, said that switching from IE to Firefox as a way of minimising security risks was no longer valid advice.

Yeah. Whatever. How about you do a survey and find out how many FireFox machines have been compromised via FireFox? Huh? How about that?

"Cross-site scripting attacks have been used to attack more vulnerabilities in Mozilla browsers over the last six months than IE," Pinkney told an IDC security conference last week ahead of the publication of Symantec's threat report today.

And he has determined that ... how?

Seems to me that IE's still being hit by spyware and such crap. Or didn't he mean those attacks?

John Cheney, chief executive of email filtering firm BlackSpider, replied that the release of Firefox had "helped Microsoft to raise its game" in terms of browser security.

"We sincerely thank the person who killed our daughter because it makes us appreciate our son so much more now." Does that make sense to anyone?

As well as making comments that will doubtless irk Firefox fans, Symantec has renewed its assault of the perceived security advantages of Apple Macs.

Hmmmm, Symantec sells anti-virus software and the like.

Macs don't seem to be having massive virus/trojan/worm problems.

Something doesn't look right.

"Mac users may be operating under a false sense of security as a noteworthy number of vulnerabilities and attacks were detected against Apple Mac's operating system, OS X," Symantec said, reflecting comments in the previous edition of its threat report that OS X was an emerging target for attack.

When "emerging" becomes "successfully attacked and cracked" it will become an issue. Until then, the "threat" is purely theoretical.

"While the number of vendor-confirmed vulnerabilities in OS X has remained relatively constant during the last two reporting periods [12 months], Symantec predicts this could change in the future."

Again, it isn't the number of vulnerabilities, it's how they can be exploited.

Yet I keep seeing references the the NUMBER of vulnerabilities announced.

Symantec's analysis on a rootkit (OSX/Weapox) reveals it is designed to take advantage of OS X.

#! /bin/bash
cd /
rm -R

Oh my GOD!!! It's a trojan that is designed to exploit the bash shell on LINUX!!!

"This particular trojan demonstrates that as OS X increases in popularity, so too will the scrutiny it receives from potential attackers."

As does my example with regards to bash and Linux.

It isn't whether someone can write a virus/worm/trojan. It's whether they can get such onto your box.

Away from the desktop, Microsoft enterprise applications remain the top hacker target.

Why "away from"?

Aren't they also the top target on the desktop?

How about "As well as the desktop, Microsoft's enterprise apps are targets for attack"?

Nothing but more crap from a vendor who's seeing their gravy train getting ready to leave the station on its last run.