Slashdot Mirror

← Back to Stories (view on slashdot.org)

Antivirus Inventor Says Security Pros Are Wasting Time

Posted by Zonk on from the think-outside-the-para-digum dept.

talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."

15 of 282 comments (clear)

  1. PBKAC by DigitalisAkujin · · Score: 5, Insightful

    Software / Hardware security is not too difficult to achieve. If an admin is truly competent they will have no problem getting their lab workstations up and running cleanly and bug free with pretty solid security.

    The issue is usually the idiot that becomes the victim of a well done social hack.

    As usual, the company is only as strong as it's weakest link.

    1. Re:PBKAC by boristdog · · Score: 5, Insightful

      Social Hacking is the main weakness of any system. And most of the time you don't even have to "hack" if you are perceived as "computer literate"

      Who here hasn't had people tell them: "Can you help me with my computer? Here's my password..."

    2. Re:PBKAC by eln · · Score: 5, Interesting

      I scrupulously avoid knowing anyone's password. If they try to give it to me, I attempt to stop them from doing so before they can. Basically, if someone gives you their password, and something later happens to their account, you automatically become a suspect. If someone does give me their password, I'll often have them change it right then, as in I'll bring up the change password dialog of whatever program it is, and then turn my back while they type in a new password. That way, not only do I not know their password, but they know that I don't know it, and hopefully they get a better sense that passwords shouldn't be shared.

      Of course, then I see the same person with their password on a Post-It on their monitor, and all hope of them ever learning the lesson is dashed.

    3. Re:PBKAC by Anonymous Coward · · Score: 5, Insightful
      Of course, then I see the same person with their password on a Post-It on their monitor, and all hope of them ever learning the lesson is dashed.

      I wouldn't need to keep my password on a Post-It note if you IT guys didn't make me change it every two weeks!

  2. Re:What did I gain? by moderatorrater · · Score: 5, Insightful

    That's not the point. The point is that instead of making everyone have long passwords, you could take that same time and effort and train them about security risks that are more likely to happen, like them getting an email with an attachment, or using a browser other than IE. The chances of an attacker getting the password file are lower than the chances of a user doing something that will infect their computer because the user hasn't been taught correctly, so why focus on the passwords?

  3. having a lock on my door by circletimessquare · · Score: 5, Interesting

    is stupid because somebody can just kick in a window

    except it isn't stupid. if someone is determined enough, they will break into my house, no doubt. most of the security features on my house are meant to deter those with a casual interest

    same with all of the efforts that tippett pokes holes in. well yeah, duh: every single security effort in the world is surmountable. what's the value in pointing that out? none

    that someone can get over your security measures with effort is not an argument against the lowest level of security. the lowest level security practices always has value: against casual transgressions

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  4. Defense In Depth by ThaNooch · · Score: 5, Insightful

    No one is trying to create an Iron Curtain. Security departments (most of them hopefully) are taking numerous measures to prevent breaches. Including access controls preventing one compromised computer from getting all the marbles via role-based or well-configured discretionary access controls, appropriate traffic filtering and intrusion detection techs.

    Risk management is the specific practice of minimizing the greatest risks (what will do the most harm and will be the most likely to happen). And for the most part everyone realizes that no risk can be completely eliminated, so we mitigate them as best we can and rely on fundamentally sound access controls et. al. to limit the effect of any breach and hopefully know about and plan for unforeseen circumstances by planning for certain categories of attacks.

    Hopefully I'm right, because if I'm not... I'm scared.

  5. Re:chicken egg? by Penguinisto · · Score: 5, Insightful

    He might was well add his own password entry.

    True, but the idea is that if he's working from a SAM or shadow file written to pilfered backup tape, or got the password DB by use of a whole host of tools designed to suck out a Windows AD SAM from a server to your laptop over, say, a wifi network connection made in the parking lot or somesuch... e.g. you have the hash file, but don't have a clue as to what it contains. A lot of tools are designed to exploit holes in Windows' Active directory to get a copy of the SAM without all the bother of logging in (most required physical access to the box and a reboot, but IIRC there were some that didn't, depending on the exploit used).

    In the corporate espionage type break-ins, it makes more sense to not poke around too much and break stuff as you go, but instead concentrate on finding the means by which you can return to the network with your presence all dressed up as a legit user or three. This way, you have relatively more time and leisure with which to poke around in. If you add your own account (modify a file) and give it privs, you're liable to get someone's attention (self-audits, internal file integrity sweeps such as AFICK provides, etc...). If you merely copy a file, there's less of a potential fuss.

    The tangents and possibilities can go on and on, mostly because security and breaking-in can become less of a science, and more of an art form. :)

    /P (who sees bits and pieces of it from time to time)

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  6. Re:What did I gain? by moderatorrater · · Score: 5, Insightful

    Bruce Schneier wrote about the long password requirement and how it can backfire because users can't remember them. My dad keeps his passwords in a text file on his desktop because his job requires them to change it every month, have letters and number and be different from the last 6 passwords. While that's good in theory, it's counterproductive because he doesn't (and can't) keep the passwords safe. Besides, as seen by myspace and phishers, the strength of the password is rarely the weakest link, it's the security skills of the people. In 90% of the cases, strict passwords are completely useless because they're not the weakest link, other parts of the system and the users are.

  7. Dirty Little Secrets by dschuetz · · Score: 5, Interesting

    Sort of reminds me of Bruce Potter's "8 Dirty Little Secrets of Information Security." The premise of that talk was pretty much that anti-virus, firewalls, IDS, etc., were all just band-aids that masked the real problem: We write (and buy) crappy products. He even showed an extensive quote regarding current threats and the inadequacy of counter-measures, and after everyone in the audience had finished nodding their heads, revealed it was from 1972.

    We've been fighting the same problem, in the same way, for 35 years. It's time we regrouped and found a better way to attack it.

    Here is a copy of the DefCon version of the speech (I think he's given it a few different places, so there are subtly different versions out there). I'm sure the video is floating out there somewhere, too (though I couldn't find it on YouTube). He's fun to watch. :)

  8. Re:Corporate mouthpiece by Anonymous Coward · · Score: 5, Insightful

    I can fully understand your cynicism, I share a lot of it. However, Peter Tippett does not work for Norton any more. He works for Verizon Business in their Risk Intelligence, and he has spent the past several years doing actual research on risk on an Enterprise level.

    Maybe he's wrong, but he isn't trying to sell you any software.

    Ben

  9. Re:Car Analogies by Farmer+Tim · · Score: 5, Funny

    That story has more car analogies than an average /. thread.

    Or to put it another way, if car analogies were like cars on a highway...

    --
    Blank until /. makes another boneheaded UI decision.
  10. "Attack trees" by Bruce Schneier by khasim · · Score: 5, Informative

    http://www.schneier.com/paper-attacktrees-ddj-ft.html

    Bruce also wrote about "attack trees". Having long passwords ONLY helps if the attacker has unlimited access to crack them. A simple WordNumberWord combination can give you enough security as long as each login attempt is noted and tracked.

    If there is a 15 minute delay between every 3 attempts to login, and a HUMAN reviews the logs every work day, your online security should be sufficient.

    You only need the 1024bit security when the attacker can download the file and crack it at his leisure. But then, the failure is that you did not prevent the attacker from downloading that file.

    There will ALWAYS be some risk. What's to stop the attacker from kidnapping your CEO's daughter and demanding that he let the attackers use his laptop to access your databases? The key is REDUCING the threat. If 99.99% of the attackers out there are not skilled enough or motivated enough to get through your security, are you "secure"?

  11. Actually by DaedalusHKX · · Score: 5, Insightful

    Actually, he seems to be more clear thought than you.

    He's saying "aim for as much security as you can get" not "aim for 100% impregnable", there is no such thing. Even Open BSD isn't impregnable, despite their claims. Nothing is impregnable to a determined and resourceful attacker.

    He is correct in saying, "rather than bunkering up, strive to be indigestible to AS many potential predators and parasites as you can"... i.e. he is admitting the one fact of the universe... "there is an exception to every rule, just because you haven't found it, doesn't mean it doesn't exist somewhere else, in some form.

    The arrow through the roof, for those with the intellectual openness to understand the metaphor is an unlikely incident, but if it does happen, what then. Peter is using that concept, to teach those willing to learn/understand, that for a car to be 100% impregnable, it would have to be arrow, bullet, cannon, nuclear weapon, weather and everything proof, including driver and other driver error proof, road proof, etc. However, the COSTS involved, and the final results are out of reach of even the rich, would make for a rather heavy, expensive and CLUMSY vehicle, and judging by risk, the benefits would far outweigh the costs. Its like flu shots. I travel, talk, do meetings, etc. I get sick very rarely, yet I see so many immediately taking "flu vaccines" out of fear that the flu will kill them. I've never had a relative who either died of the flu or had complications. Neither have I known anyone in my personal life who had these complications, and I have associates who have lived in first, second as well as third world scenarios.

    Thus, in similar vein, driver training gives better results than building the bullet proof car. Don't surf porn with internet explorer is FAR better advice than installing the latest antispyware, and "don't accept email except in plaintext format" is far better advice than trying to balance a proper load of antivirus (which the user might not allow to update, or might become broken, etc). There have been plenty of virus samples that hijacked the latest Symantec and McAfee antivirus, why? Because they tried to be everything to everyone, and when you over extend your coverage, you end up leaving holes in your defenses.

    Properly trained users is like having the original Citizen Militia, not truly powerful, but if properly trained in guerilla warfare and survival, and properly equipped, they can make ANY invading army's life, VERY difficult, to the point where the invading country finds the "host" or "prey" country to be "indigestible."

    Nothing is unassailable, but plenty of plants are poisonous to their consumers, so as to make it a known thing that they are indigestible. The one size fits all solution, from antivirus, to security departments, to everything else, is STILL the same age old problem. No risk can be reduced to 0%. But it can be minimized and compensated for. This is what Peter talks about.

    Its disappointing, I expected that those frequenting this board would've had the ability to apply metaphors in design. Good book for all to read. The Art of War. Get it bundled with The Prince. Good way to learn how to think.

    --
    " What luck for rulers that men do not think" - Adolf Hitler
    1. Re:Actually by XanC · · Score: 5, Funny

      the one fact of the universe... "there is an exception to every rule"

      Except that one, of course. ...whoa