Antivirus Inventor Says Security Pros Are Wasting Time

talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."

Re:chicken egg?

[somersault]

Can't everyone read the password hashes file? On Linux at least. You aren't protecting the file, you're protecting the keys that were used to generate the hashes in the file. Biiiiig difference between read and write access to a password file.

Valid points from article

[whitehatlurker]

1) Not all "vulnerabilities" are dangerous. Yes, there are a lot of junk security warnings out there. Part of the security officers' duty is to separate the chaff from the kernels.

2) You're only as secure as your weakest password. We knew that.

3) This guy shouldn't talk about seatbelts.

Re:chicken egg?

[ealex292]

No. The /etc/passwd file does not actually contain passwords, despite the name. It used to (hence the name), but hasn't in a while, since letting people read the hashes lets people brute force breaking the passwords a lot more easily (basically, hash every word in the dictionary, save it in a file, and compare those hashes against the one in the password file --- though this is less effective if salting is used).

From my password file:

alex@ephesus ~ $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]

That "x" after the first colon indicates that the password is stored elsewhere --- in /etc/shadow, which is not world-readable:

alex@ephesus ~ $ ll /etc/shadow
-rw-r----- 1 root shadow 896 2008-02-03 21:18 /etc/shadow

Re:What did I gain?

[AmaDaden]

a lot of what we put in to place is useless once they're in, but that doesn't mean to weaken our defenses.

Tippett warned that about a third of the work that security departments do today is a waste of time.

He didn't say stop doing these things he is saying work smarter not harder. Taking the time to educate people about what is safe is far more effective then using that same time to deal with the constant password problems you would have with a high security password policy.

The problem is management

[SCHecklerX]

What Tippett is saying is already well known by security professionals (at least the ones who know what they are doing...risk analysis is part of the CISSP exam, is it not?). The problem is that despite this, we are forced to do expensive and less useful (useful at all?) stuff by management because they are the "decider". Companies that actually have a CISO with competent staff have a decent chance at doing it right, but in my experience, many companies don't, so you end up deploying stuff just because management likes to deploy new 'security systems' rather than actually address the security posture of the company.

"Attack trees" by Bruce Schneier

[khasim]

http://www.schneier.com/paper-attacktrees-ddj-ft.html

Bruce also wrote about "attack trees". Having long passwords ONLY helps if the attacker has unlimited access to crack them. A simple WordNumberWord combination can give you enough security as long as each login attempt is noted and tracked.

If there is a 15 minute delay between every 3 attempts to login, and a HUMAN reviews the logs every work day, your online security should be sufficient.

You only need the 1024bit security when the attacker can download the file and crack it at his leisure. But then, the failure is that you did not prevent the attacker from downloading that file.

There will ALWAYS be some risk. What's to stop the attacker from kidnapping your CEO's daughter and demanding that he let the attackers use his laptop to access your databases? The key is REDUCING the threat. If 99.99% of the attackers out there are not skilled enough or motivated enough to get through your security, are you "secure"?

Re:chicken egg?

[crowemojo]

You are proving his point!

By the time an attacker has the hashes, the game is essentially over! Do you think a 10 character password is really going to be that much weaker then a 14 character password in the situation where an attacker does *not* have hashes? (And simple controls such as account lockout features are enabled?)

I think Tippet would prefer passwords to be only complicated enough that they aren't susceptible to brute forcing when account lockout features are in place. His point is that anything past that is not netting you any practical security gain, and I think he's dead on.

I've heard the speech that this article is referring to and I have to tell you, it's pretty interesting. He talks a lot about trying to take a more practical approach to security, especially security research. Asking questions like "in a given environment, which controls result in an appreciable difference in security?" "Does updating virus signatures quarterly vs. monthly vs. weekly vs. daily make a difference?" Putting aside how you answer such questions (it's not an impossible task) I have to admit that the answers themselves are relevant!

One of Tippet's messages he stresses in this talk is that the security industry does things differently then other industries and it doesn't make sense. He draws a lot of comparisons to the medical industry because he is a medical doctor as well. In medicine, when we want to know how effective something is, we study it, we design trials, we examine the effects in the field. In security, we tend to go straight from the theoretical realm, debating ideals and their implications, straight to hard and fast rules, without the testing in between. We do ourselves a disservice by doing so. Straight from thinking "Antivirus updates are important and need to take place daily" to a general believe that "if you don't update daily, you are stupid, and insecure" without the in between step of asking "Does updating virus signatures quarterly vs. monthly vs. weekly vs. daily make a difference?"

Re:What did I gain?

[c_woolley]

I think people are missing the point of a very single and important statement the OP made. He said that all he needs is to get 1 password to compromise thousands. Much of security depends on a weak product...People. How many times in a movie have you seen those security guards watching a perimeter with those eagle-eyes of theirs, and spotting someone immediately. Well, usually in real life, after a few weeks on the job, those eagle-eyed guards turn into the other type of guards you see in movies...the ones with donuts and are asleep. The point is that people become lazy and do things like leave a password out in view, or easily found (ie. ANYTHING not memorized). People talk on the phone when troubleshooting and give out passwords to "help" get back into systems, and then are slow to change them afterwards, or don't change them at all. People are...human. They make mistakes. The point he is making is that he only needs to exploit a single user who fails to be vigilant from day one. After that, the network becomes his playground. Also, although I agree that security is a mindset, it is a product as well. There is a dollar figure attatched directly to it. If you did not purchase it, you don't have it. That's why I get paid. Also, don't think I am picking on you for it, but SSH timeout is almost worthless. All it does is slow you down a small bit. Yes, if I fail login three times, it will boot that session, but unless you have other things set up for reporting/detection and response (again something that you most likely have to pay for), all that needs to happen is that script run continuously, establishing a new session each time, until it sees a prmopt appear. Do not stop using VPNs. VPNs can greatly enhance your network security from site to site. What you should enforce is visibility before reaching your LAN. In other words, terminate your VPN above a firewall, IDS/IPS, etc. Have a security plan that includes public facing IPs that are protected by another router or firewall as well. Yeah, it can be costly, but the security provided is greatly increased as well, and you can effectively communicate and control traffic both inside and outside of your LAN. It isn't without flaw, but as the article is pointing out, there really isn't anything out there that is without flaw.

Re:chicken egg?

[DaleGlass]

Sure, you can see mine if you want:

root:!:13916:0:99999:7:::

If you manage to crack that, try it at 127.249.17.156

Re:What did I gain?

[Dragonslicer]

My dad keeps his passwords in a text file on his desktop because his job requires them to change it every month, have letters and number and be different from the last 6 passwords. While that's good in theory, it's counterproductive because he doesn't (and can't) keep the passwords safe. That's not even good in theory. If you're talking about theory, restrictions of any kind are bad, since they reduce the size of the space.

Re:PBKAC

[Bloodoflethe]

Actually from what I remember of the man, without crosschecking - I believe he works from a whitelist perspective - close it all and open what you need.