Slashdot Mirror
Security Industry Faces Attacks It Can't Stop
itwbennett writes "The takedown of the Mariposa botnet and so-called advanced persistent threat attacks, such as the one that compromised Google systems in early December, were hot topics at the RSA conference last week. What both Mariposa and the Google attacks illustrate, and what went largely unsaid at RSA, was that the security industry has failed to protect paying customers from some of today's most pernicious threats, writes Robert McMillan. Traditional security products are simply not much help, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. 'All of the victims we've worked with had perfectly installed antivirus,' he said. 'They all had intrusion detection systems and several had Web proxies scan content.'"
the "victims" were all running MS Windows...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
FAIL!
A lot of security theater is out there, but one thing is for certain: you can dramatically lower your risk just by thinking for a minute before you click on some link/email/app/etc.
[citation needed]
Oh and conspiracy theories are not adequate citations. You could at least try to not sound like an idiot.
"I use a Mac because I'm just better than you are."
Oh... like how the police can't prevent crime?
Perfectly perfect installs of antivirus? As in, perfect enough to be NSA backdoors? Other articles mentioned that the exploits were there because of NSA mandates for data access that we can safely assume to include internet-facing Windows computers. If that's true, then the NSA are a helluva lot more stupid(or lazy) than they claim to be.
Yeah and then Schneiner stated in a retraction that that wasn't the case.
All of the victims we've worked with had perfectly installed antivirus We all know they're just drumming up business for themselves.
Antivirus is a joke, and always has been.
You don't fix a software problem with more software. You fix the software.
If you can't fix the software, you do your best to avoid situations where it will be attacked. In other words, don't punch the monkey.
I don't run AV, I do run XP, I don't punch the monkey, and I don't get viruses.
Training users at some megacorp to not PTM is a lost cause. Fix your s***, and forget AV.
The "security industry" is NOT interested in putting itself out of business by selling WORKING products.
That's why the "perfectly installed antivirus" gets daily updates and STILL CANNOT TELL A GOOD FILE FROM A BAD FILE.
Here's a radical new concept. How about an antivirus program that BLOCKS file writes to the operating system UNLESS that file can be confirmed to be "good"?
It's far easier to identify the files that SHOULD be allowed than it is to identify a possible threat.
The security industry will always be unable to protect everyone 100% of the time. It is impossible to protect the clueless from anything.
AntiVirus is imperfect as it relies on signatures and known processes, and will always be imperfect. Same with IDS and the lot of it.
In my opinion, as long as the security industry, and end-users as a whole, continue with the thought that end-user basic security ignorance is OK, things will never get better. The sooner all end users are clued-in instead of clueless, the sooner we may have a ray of hope.
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
If the "M" virus hits the RSA conference, it it the MSRA virus?
Free Martian Whores!
This is a terribly ignorant statement. The security has actually succeeded in protecting paying customers from all but the most pernicious threats. IT security is about reducing risk, and that's what it does--successfully.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
but you can't stop him from clicking on a link to beat the crap out of a monkey.
Sent from your iPad.
The Microsoft operating system has been, always will be insecure. No amount of anti this, anti that or how update date your windows box is; it is not safe to use for any kind of sensitive data.
My karma is not a Chameleon.
We'll soon see sanctions against the "evil" countries.
Don't blame the security industry; blame the application developers. Adobe has a new input validation vulnerability every day; browsers fail to properly sandbox these crappy plugins; the OS fails to properly sandbox the browser. Virus scanners address the symtoms of the problem but ignore the cause which is that secure coding practices simply aren't followed.
Film at 11.
One thing that shouldn't surprise me anymore but keeps surprising me is that it seems like the more money you pay for software, the more half-assed it is. You get an off-the-shelf product like Quickbooks, it's impressive. You look at stuff that's industry-specific, specialized software that doesn't have a lot of competition, it costs thousands and feels primitive in comparison. It must be the lack of competition means there's no real reason to improve the product beyond what it already does.
I'm sure there are some exceptions to my experience, naturally. But these niche applications generally seem to be very expensive and primitive.
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
The dark side of computer "security" pays far better than the good side. I was contracted to setup a number of servers for a company, and as it turned out, they were part of this "dark side." I told them I had an ethical conflict, and decided to remove myself from the situation about 2 hours into it.
The problem is, other than the coders and the boss, many people do not know they are working for these companies. This particular company had about 15 people. 3 were in the know, the other 12 were support for shipping, gathering information, making contacts, and advertising, etc. When dealing with spyware/malware, there is a lot of butt covering, and evasion.
The programmers in particular were amazing coders, some of the best that graduated at the same university I went to. This is how I got contacted to help. Only after we started talking did I realize what they were all about. The pay was almost double what they would have made at a legitimate company.
How about an antivirus program that BLOCKS file writes to the operating system UNLESS that file can be confirmed to be "good"?
Who has the authority to confirm, say, your shopping list as good? Or, if you're considering only files marked executable, a shell script that your co-worker wrote?
I work corporate IT and I periodically sit down at each machine and run 3 or 4 virus scans in addition to the one installed on every workstation, but this is a lot of effort. Infections slip by our real-time scan all the time.
There is no perfect security, offline or online.
I like to say there are 3 main types of attacks:
We have mechanisms that are pretty good at class 1. We can shore up our defenses enough to not be the low hanging fruit to get some protection against level 2.
Level 3 is only starting to enter the public eye. There is no defense that will withstand a well funded targeted attack. The best you can do is make it too difficult for most attackers, and monitor and clean up after the really good ones.
This is true for airline security, concert security, bank security, web site security, and network security. There is no impenetrable defense for any of these. You minimize the risk as much as you can, then build your systems so they can be effectively monitored and rebuilt/restored in case of attack.
Blessed are the pessimists, for they have made backups.
That's what makes "spear-phishing" so ridiculously dangerous - if the attacker is spending his entire day on you specifically, you're going to need a little more than an off-the-shelf unmonitored solution. And if you're a "high visibility target" then you are going to need even more, defense in depth and a dedicated team for your security. It's not reasonable to expect "but I installed Norton!" to come from a CEO of a big company for example. Bigger assets require better, customized defenses.
Bigger targets attract more than script kiddies and people that are buying hacking kits. They attract entire groups and organizations of highly skilled and specialized hackers that know how to analyze your defenses, have experience getting around all but the industrial grade security tools, and can customize their work and cover their tracks.
It's no different than complaining that neighborhood security is a mess because your padlock didn't keep your bike from getting stolen. If you have a really nice bike, and a smart thief really wants it, you'd better have something better than a crappy $7 masterlock on it. You can't blame the lock if the bike gets stolen. You were using the wrong tool for the job and the outcome should come as no surprise. You were expecting way too much (security) from way too little.
I work for the Department of Redundancy Department.
The most wide spread vulnerability to internet activity today is not something that can be fixed with an anti virus program, or any kind of program for that matter. When it comes down to it, the primary vulnerability is the meat bag sitting at the keyboard. People are stupid. They don't mean to be. They don't try to be. Still, they are (myself included on plenty of occasions). As a result, all a successful hack has to rely on is convincing a large number of stupid people to do something stupid. That's really not that hard.
We see this in other fields. People do stupid shit all over the place and we try to fix it by teaching people that they can't keep doing dumb stuff. For instance, if you give a pissed off teenager the keys to a car, he/she will drive it recklessly fast. So we have cops out there to teach them different. We hope parents try to teach them different. If all else fails, we have to take forceful action to protect them from themselves (court, gavel, community service and/or jail time). On a large scale, if some group of people pick a fight with another group of people over something stupid (like some kind of zealous ideal or discrimination), sometimes we have to intervene with force to tell them to knock it the crap off (war). It seems terrible. It is a pain in the ass. But it stems from the fact that, often, competent and intelligent folk often need to protect the stupid folk from themselves (or at least we humans convince ourselves of that).
So, those blurry analogies drawn, it all boils down to a simple fact. People are stupid. And as Ron White put it, "You can't fix stupid."
At best, those who are less stupid than others need to work (and sometimes fight) to protect the stupid people from themselves. In other words, the cyber security model needs to evolve from a passive defense, to an aggressive offense taken against the stupid attackers who continually exploit stupid users. In other words, out-compete the sheisters.
Motorcycles, Robots, Space Gossip and More!
There are some problems that you have to pay money to have.
True, but Windows OS isn't one of them. It costs just as much to buy a PC for a home or small office without preinstalled Windows OS as it does to buy one with preinstalled Windows OS. The common explanation for this is that major shareware publishers subsidize the cost of a Windows OS license by paying PC makers to include unregistered versions of their products in the default install.
The problem is that they haven't even hit the 50% mark. They cannot even, reliably, detect threats that are over a year old.
Exactly. Which is why that needs to change. Instead of trying to chase the latest variant of a threat, why not save time and effort and identify the LEGITIMATE files? Then, if something is trying to write a file to the OS portion of your drive, and that file is not recognized, it should block it (and MAYBE allow the user to override it after a few hoops and maybe online comparisons with the latest threat databases).
I think it is different. The "security industry" depends upon the ignorance of users and the continuation of those users being infected.
It is not in the "security industry"'s best interest to commit to real improvements in security.
No security is perfect, never has been, never will be.
And security isn't static. The attacks keep changing; defenses need to change to meet the attack. That means the defenses are reactive - they lag behind the attacks. That means the attacks will always work, at least for a little while, longer against companies and technologies that don't keep up.
Gee, I should become an industry analyst. I can state the obvious with the best of 'em.
e (damn /. and its short subject field).
Our state CISO was fired when he got back from the conference because he spoke about a hacking incident to the state's DOT site which allows one to schedule driver's exams. Apparently, it was initially presumed the attack came from Russia but was later found to have come from Philadelphia where a driving school had exploited a vulnerability in the web site to schedule more driving tests than there were allotted slots.
By exploiting this vulnerability, the driving school was able to close all available slots EXCEPT for the school so everyone else had to wait up to 6 weeks to schedule a test.
He was a scheduled presenter with over 24 years in IT in both the public and private sector. He was recognized, according to the RSA schedule, as "one of the most high-profile experts in the field of securing the data of American citizens today."
As you read the comments after the article, it's clear that some folks with knowledge of the subject insist he went out of bounds on the subject while others consider what he did to be a normal part of the IT security process.
I'm only posting this as it does relate to the overall RSA conference. Note that the web site indicated will probably prevent reading the article after a certain time has passed so read it now. In addition, here are two other sites which talk about the firing:
Site one
Site two
Further, here is an article which talks to the firee after he became the state's first CISO and what he had to contend with.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Fast moving exploits blow right past these security products. The whole industry is based on "identify new threats, develop a detection routine, include it in the next update". So from the time the "assault" starts there's the time it takes for someone to find it and report it to the security product company. Then there's the time it takes for that company to analyse the threat and code a detection - and then there's another delay while customers wait for the next update cycle to come along.
That's easily ten or more days during which the exploit gets spread far and wide. The bad guys know this and carefully craft their exploits to spread quickly so they can be widely installed before the firewalls and virus scanners start blocking them - and they make their programs hard to detect and harder to remove. Even after the security vendors have the threat "neutralized", the exploit continues to spread behind the firewalls and to the companies with lazy admins who haven't patched recently.
What really needs to be done if we're ever going to make a significant dent in the flood of malware and viruses is to put an end to the various forms of remote execution that some ill-advised software companies have included in their products. Any software that automatically installs or opens files from the web provides an entry for attackers. Things like Flash, ActiveX, etc. - an operating system that permits "drive-by downloads" just isn't suitable for a connected world. Fix those glaring flaws and the number of problems would go way down.
Of course this isn't likely to happen any time soon. Advertisers love those blinky, colorful, dancing, and music playing advertisements. They insist on more and more of these and that's led to more and more viruses being installed by innocent looking ads on some reputable site's webpage. And it's all due to some idiot thinking it was a great idea to have your computer download and open an executable file automatically.
So now we're using ad-blocking software to protect our systems from this kind of danger - and the advertisers are starting to howl. They don't see that they're providing almost universal access to those black hat programmers - or they do see this and don't care because they're making money. We can't have things both ways - if you allow remote execution then you're going to have security breaches. If you don't allow it, the web would be a quieter and less "content rich" place.
No? Then it isn't an issue.
Now, if you're trying to store your shopping list on c:\windows\system32 ... then the anti-virus app should block you.
As for who has the authority ... that would be the anti-virus vendor. The same people who you've given the authority to tell you what is a virus today.
A side benefit of this would be that the anti-virus app could also tell you that you have vulnerable, unpatched apps on your system.
You'd retract your words if feds threatened you with jail-time.
How can a perfectly installed AV detect a new virus or malware that does not have a previously identified signature? Or is being implemented in an entirely new way which is not currently in the AV or security programs list of possible intrusion scenarios? Av and security programs are nothing more than window dressing allowing IT execs to say look we are doing all we can to prevent these problems what else can I do? Their bosses see the programs running and believe they are safe.
An AV program will never prevent new viruses, once a new virus is in the wild it will infect a certain amount of users, once it is recognized to be a new virus the AV companies will create a definition for it. There are always a few unlucky ones who will be infected, this is a given. But not something any AV company will admit too. At this point it is the responsibility of the IT staff to do the only guaranteed thing which will remove the virus, format the drive and reinstall the OS. Too many people feel they can remove the infection, and while this may be true in a very limited amount of cases, there is always the possibility that the virus your AV has recognized is a variant which is still unknown.
Let's face it, the only reason people realize they have a virus is because their computer starts acting "funny". A well written virus may never produce any indications of an issue and may go on working happily until either the usr renews their AV program or retires their computer.
You could at least try to not sound like an idiot.
Which is why I am staying out of this conversation ... except for that ... and that ... oh, never mind.
The industry needs a "do-over". It's unlikely to ever happen but that's what is needed. Joe Sixpack expects home computers to "just work" and that's what Microsoft has delivered.
Until every Joe Sixpack is willing to educate himself on computer security all computers should be more difficult to use, not easier.
I doubt the Google end-users were doing anything stupid anyway.
They were running M$ Windozes... that's very stupid.
Just run internet-faced programs like browser and email client in separate virtual instances, preferably with more secure OS underneath. Reboot those instances hourly (or whatever) and apply latest patches at reboot. Sharing data between apps could be a little bit pain, but copy&paste works and shared folders with host can be implemented in secure way.
Where did the feds threaten him with jail time?
You can have your shit locked down 6 billion ways to Sunday.
The minute you introduce the human element into it, you have a massive security hole that can be patched, but NEVER closed.
You can train and train and train. Ennui sets in and their brains shut off after a while.
You can have the most draconian policies regarding proper usage. People will still circumvent it, accidentally or deliberately.
You can fire people. It just creates ill will and the damage is already done.
And, if it happens to be the owner of the company doing the circumvention there's jack and shit you can do about it.
I'm sorry, but anyone who tells you that security is about "keeping the bad guys out" is SELLING YOU SOMETHING (see: "How much for my large and stinky pile of crap?"). Nothing more.
Security is about putting enough roadblocks in place that attackers begin looking for easier targets so they can maximize their returns on time invested.
If someone wants into your systems bad enough, THEY WILL GET IN. Period.
The job of security is to make this interval as long as possible so they can maximize the chances of catching them before they get in or forcing them into something spectacular and HIGHLY traceable.
Chas - The one, the only.
THANK GOD!!!
If you read "The Cuckoo's Egg", you will be both charmed and horrified about how quaintly computer security was regarded by the United States government in the early years of the Internet. The insane thing is that despite all the time that has passed since then, we still have lone basement hackers discovering tears in the fabric of the Internet like when Dan Kaminsky found his DNS flaw.
I believe the Chinese attack on Google has finally woken up a lot of very important people. I was stunned that Hillary Clinton added her voice to those asking the Chinese for answers.
I was also impressed by the Chinese attack -- state sponsored hacking is now explicit reality. "Cyber-warfare" is now reality. Countries have started accumulating and safeguarding their intelligence regarding electronic espionage.
It's not fun and games anymore. Kaminsky found a flaw in DNS from his apartment. We will never know if or which governments knew about it before Kaminsky went public.
Yeah, read the whole thread. You might notice that that was my original point.
The "security industry" has no real interest in solving (or reducing) the problem because they're making so much money off of it.
If they did want to fix the issue, the simple example I gave would go a long way towards doing just that.
But they don't do that. See the sentence above the sentence right above this one.
We should feel lucky we don't have Cylons yet. They hacked 5 layers of firewalls in a matter of several minutes...and it took many episodes and a reboot via hot skin job sticking things into her arm before they finally removed all trace of the virus.
If security is that difficult, then why haven't all the banks been emptied by now?
NO technology will do your thinking for you. NO product will protect you if you don't know enough to protect yourself. Antiviruses, deep packet inspection, intrusion detection, etc: they are all useless - worse than that: they are expensive useless, designed more to make somebody else money that to protect the end user. The ONLY thing that will protect you is knowledge. When will people learn that if they want the benefits of modern technology, understanding it is not optional?
Or Apple... or Mozilla...
The biggest security problems are operating systems and applications that build in "exploit me harder" APIs and user interfaces like ActiveX and 'Open "Safe" files after downloading'.
Microsoft is the poster boy for this, with justification, but every browser company is guilty to some extent. There are no exceptions.
Sometimes I've wondered if its time for businesses to have a backbone between them, similar to SIPRNet or NIPRNet. This wouldn't be an IP network, but have its own protocol, and the hardware transceivers would use SIM card functionality to encrypt stuff over the wire. Then, machines can be connected solely via this. This way, an intruder would have to hack a gateway box, find a way to get access to the target over the network backbone (machines on the same backbone can be configured only to communicate to clients or other B2B partners, and not just anyone via an enhanced host.allow/host.deny method), then find a way to start launching attacks against the machine proper. Another advantage is that an obviously compromised machine could be pulled off the backbone by an update of a CRL (the revocation certificate can be temporary until the admins can clean a box up, or permanent.)
Of course, there this idea is rough, and likely there a lot of security issues, but separating into different networks means an attacker has to first crack their way onto that network before they have access to a host. The biggest difference between this and IP based private networks is that the backbones are not IP based, so an attacker would have to compromise a machine that has both Internet access and access to the private network and either turn the machine into a bridge or gateway, or use the machine as a staging point for the private network attacks.
If one thinks about it, not all machines connected to the Internet really need Internet connectivity. A lot of servers only need connectivity to Internet facing machines, an internal update repository, and a server which does backups.
Correlation can very well imply causation. Let me prove it to you:
Obviously it must be one of those national security letters that let them do anything and nobody can talk about having gotten one.
If I have been able to see further than others, it is because I bought a pair of binoculars.
... to act as a deterrent. The Mariposa perps face a maximum of six years under Spanish law. That's small enough to shrug off as the cost of doing business.
IIRC, government intelligence tries to hire black and white hats. Get 'em while they're young.
Has the security industry been as busy hiring people with talent, as opposed to credentials?
The security industry will always be unable to protect everyone 100% of the time.
...sort of like how the TSA and the government cannot provide 100% security from gangsters/drugdealers/terrorists/. I think that the posted topic reads like the common hysterical notion of, 'Why can't X protect me from dangerous stuff all of the time?'
To address the main topic: How have security firms 'failed'? Billions of dollars flow about the internet on a daily basis without a hitch. Huge amounts of data is seen by the people that need to see it and isn't seen by those who don't. Sure, stuff like Google's break in looks spectacular, but really? You are calling security firms impotent when it they cannot stop a HUGE FRIGGEN COUNTRY with vast resources at its disposal from breaching security here and there?
HA! I just wasted some of your bandwidth with a frivolous sig!
I used to be the webmaster for a company called BluePoint Security(http://www.bluepointsecurity.com/). I still to this day believe to this day that nothing can come close to how well it protects a system. I even had some of the best at Mercer University try and hack a computer running it (stock, patched XP and nothing else) and they couldn't. Just thought I'd share that with ye security folks. Kerry Hatcher Webmaster 41 NBC www.41nbc.com
Kerry Hatcher | Owner | Hatch Media Productions
Yep! And then we'd FINALLY see some improvement in anti-virus competition. Which company has the more complete whitelists? Or which company has the whitelists that work for YOU?
Two points there: ... but an anti-virus company should be able to handle it easier than making signature files for potential threats.
1. adding programs is time intensive - which is why you'd rely upon the anti-virus updates. It is time intensive for one person
2. Windows has a lot of stuff that will run on it - which is (one of the reasons) why viruses (and such) spread so easily on it. But at least this way, the user will have a real option instead of the current situation.
and im not posting the white paper here, but i will give it to hackers.
Sure! It's not like Microsoft is going to start changing Windows any time soon, is it? (the expected answer is "no")
Those people are confusing "security" with "marketshare".
And the more hoops you make a user go through for LEGITIMATE threats, the less likely that that threat will be realized.
As opposed to the current situation on Windows where EVERY new app is considered a threat. Which means that the situation is more of a "new app detector" than a "virus detector".
Not to mention that the anti-virus app can then "scan your machine for possible threats" and tell you that apps A, B, C, D and E are out of date and have patches available.
Is it time to close off most corporate networks so people can't access company information and the Internet on the same computer at the same time?
Two methods I can see:
KVM switches, which are impractical but almost impossible to remotely hack.
No-permanent-state workstations or thin clients which allow connections to either the corporate network or the Internet, but not both in the same session. To change sessions requires restarting the workstation.
Of course, this is only a start. In many cases, employees will need to have some way to access specific web sites on the Internet while looking at corporate data.
There are also a host of other issues this doesn't address, and a host of other problems this introduces, namely, inconvenience and infrastructure costs. Nobody said security was cheap.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
You are asserting that the costs of a computer end at purchase, they do not. With Windows, the purchase price is only the beginning of your costs.
So in other words, you're saying preinstalled Windows is free only if your time is worth nothing. Where have I heard that one before?
Anti-virus
Viruses exist for all operating systems. Take GNU/Linux on x86 for example: a virus running as a limited user can infect all programs installed into a user's home directory. If Linux had majority desktop market share, it would have the same virus problem as Windows.
upgrading
Windows has RTM through Service Pack 3; Ubuntu has Hardy Heron through Karmic Koala.
rebooting
What operating system doesn't need to reboot for a kernel update? I use Ubuntu on a few PCs, and when Update Manager installs an update for the Linux image and Linux modules, it always asks for a reboot.
No way! That would be the same (effectively) as the current situation for the end user. They'd just click through because they wouldn't understand the implications.
No. I'm suggesting more along the lines of NOT throwing up any alerts if the file's hashes and signatures match KNOWN releases from KNOWN companies. So an install of Adobe Acrobat goes through without throwing up warning ... but the website downloading malware_1.dll to c:\windows\system32 throws up multiple, sequential windows with the option to compare that file to online databases of known malware.
Make the warnings appear when the other avenues of verification have failed so that they are UNUSUAL and not just part of Windows' regular behaviour.
Your mom.
Possibly mine also ...
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
well, my BIND does announce itself as a win95 Beta version...
and my semi automated countermesures do ban your IP for 24 hours everytime it detects something I didn't explicitly allow
and my firewall rules begins by Deny All
I just love heterogenous IT systems... makes it moderatly harder to penetrate.
But hey, just a suggestion to all the precedent posts : /sarcasm engaged //sarcasm ends, logic loop detected
IF OSX IS SO SECURE, WHY NOT MAKE ALL WAN FACING FIREWALLS/PROXIES WITH MACS
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
Security Industry Faces Growth and Sales Opportunities into Perpetuity.
I apologize. I read "program that BLOCKS file writes to the operating system" and misinterpreted it as "program that BLOCKS file writes before they reach the operating system", not the intended "program that BLOCKS writes to files making up the operating system". Kernel enforcement of file and folder permissions is supposed to do that.
On the other hand, a virus can still infect programs installed to a user's home directory. In addition, older Windows versions have stored home directories inside %windir%. For example, a home directory might have been "C:\winnt\profiles\Pino".
UAC's issue was that it was TOO thorough. If a user, using the mouse, manually clicks start, control panel, security center, and windows firewall, it will UAC prompt for that. It UAC prompt for running MSCONFIG. It prompts for running under alternate credentials when those credentials are manually typed in. Some applications triggered a UAC prompt every time they ran.
After a while, UAC just became like a car alarm. What was the last time you heard a car alarm activate and you thought to yourself "oh snap! someone's car is getting stolen!"? I can't even remember. If I were walking through a parking lot at the mall and I saw somebody with a coat hangar down the window and an alarm going off, my reaction would be to look at that guy and say "lock your keys in the car, buddy? need to call AAA?" Car alarms go off so frequently that by time there is an actual robbery in progress, we're conditioned to simply ignore it.
Similarly, UAC was so obnoxiously prevalent in Vista that people don't even stop to think about it anymore. It's just an extra step to see the dancing bunnies, nothing more. If it were designed to more correctly respond to attack vectors, I think it'd be more useful. If UAC were limited to software installations (complete with some "disable until next reboot since I'm performing lots of installations since I just bought this computer" mode), scripted/command line changes to control panel options, registry changes independent of a software install, and unsigned ActiveX applets, that would cover the overwhelming majority of ways that things happen without user consent that UAC notifications would actually be noteworthy enough to users that it would cause them to stop and think about what is happening.
Security software has this tendency as well. It nags so much that many users almost have the mindeset of "an invisible virus is less aggrevating than my security suite". Like UAC and car alarms, security suites that flag things like tracking cookies as infections are disengenuous and instill more negative conditioning than positive.
Yes. And not only checksums, but hashes and signatures and so forth. The more ways to verify a file is from a KNOW vendor, the better.
Hold that right there.
You left of "legitimate, non-malware app".
Is this stops the user from installing a virus or whatever, that is good. Even if the user THOUGHT that s/he wanted to install it.
Why? Wouldn't that be a way to differentiate between the various anti-virus companies? As long as the vendor you went with supported all the software that you wanted ... you'd be happy. Or you could go through the hoops and install it anyway.
See above. You would spend your money with the more responsive vendor. Or you'd go through the hoops.
Why would you need to? If the hashes and signatures and so forth aren't enough to show that that file came from that vendor, oh, wait, they would be.
Again, you wouldn't need to.
We're talking about zombie networks that have MILLIONS of infected machines.
If you are the vendor of an app that has MILLIONS of installs, wouldn't you be able to sign your own work? And coordinate with the anti-virus vendors to list your app?
And if you aren't talking about MILLIONS of installs then you admit that this approach solves the biggest problem with such malware.
That's because the anti-virus vendors don't have the LEGAL RIGHTS to do that.
The BEST that they could do would be to alert the end-user that application X has KNOWN VULNERABILITIES and needs to be REMOVED OR UPGRADED as soon as possible.
http://www.ksplice.com/
Check it out. The source is available too. Neat stuff.
yes, but if you had a cute widdle kitten sticking his head out of goatse's ass, you'd have an unbeatable combo!!!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
For those customers who, few as they may be, were using McAfee's latest acquisition (Network Threat Response), they were protected. It's a helluva good product. I am in no way related to McAfee and do not benefit from making this statement.
Or perhaps stop using losing strategies like Default Permit when it comes to security.
Exactly.
AV software is just an example of Enumerating Badness which in the long run is a very very bad strategy.
And impossible. As you address later.
AV software is useless against a custom virus I write just for attacking your system.
Which is why whitelists would go a long way towards solving most of these "problems".
The problem isn't windows. the problem is that people keep using terrible strategies.
I'll disagree because the security model behind Windows is based upon the other elements you've already identified as problems.
And Microsoft made that security model in that fashion so that they could leverage sales of one product to sell other products. Which is why you find RPC in so many of their products.
Look at what you'd consider "best practices" for security. Then compare Win2K to Win2K8 or Win7. Microsoft has made some improvements. But Win7 is still vulnerable to the same attacks that Win2K was.
anyone had any experience with symantec's "reputation based security"? they were also calling this their "quorum" technology.
here's an article i managed to google up on the subject..
http://www.networkworld.com/news/2009/090809-symantec-quorum-antimalware.html
Long live the BSD license
Or we could do true layered defenses in security and redesign the OS to support them. Don't put crap into ring 0 just for "performance" purposes. Use micro-kernels and use messaging systems for interprocess communications. Place OS files into their own, protected partition and control access rigorously. Sign them. Allow unsigned drivers if need be, but sandbox them. Limit "shared" libraries and directories (hello Microsoft and Adobe). Drop legacy application support unless seriously sandboxed in a virtual environment. Heck, sandbox current applications the same way. And so on.
Today's processors and multi-core systems are fast enough to handle the overhead. Drives are huge. Allocate a full 10% of the processor budget to security. Why should we not sacrifice a few FPS in Quake or Unreal for hardened systems that are much, much, much more resistant to tampering and infection?
We know what we need to do. Just do it.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
And since the average user would have clicked through anyway ... the net result is the same as the situation today.
Again, the net result is the same as the situation today.
Except that that is not stupidity. Because clicking through all those screens is seen by the end user as just another part of the install process the end user will click through all those screens taking whatever the default is.
Stupidity is when the user is informed that something UNUSUAL is happening and NOT part of the expected process and clicks through anyway. Which means that the process CANNOT be part of installing regular, good applications.
Exactly correct. An alarm is NOT an alarm if it is continually triggered by regular activities.
Also true, with the caveat that on GNU/Linux, a downloaded virus doesn't automatically have the ability to be run.
True, a downloaded malicious program needs to be chmod +x, just like the installer for any other program that sits outside the package system. But what exactly were you talking about?
Number of upgrades is meaningless, cost of upgrades, in both time and money, is meaningful.
Windows service packs are free of charge to all licensees of genuine Windows OS. The only time you need to pay for a Windows OS upgrade is either A. for a new machine or B. for the equivalent to an upgrade from one Ubuntu LTS to the next LTS.
rebooting for a kernel update isn't strictly necessary in Linux if you use KSplice.
Ksplice costs 48 USD per year unless you're on Ubuntu, and it isn't available for SuSE or Fedora at all. And guess what company employs the inventors who applied for a patent on the method used by Ksplice.
..the very idea of a "security industry" is total bullshit. Security isn't something you add, it's something you refrain from subtracting. Given that there's no such thing as a security industry, why would you expect someone who says they work in it, to sell you something useful?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I believe that anti-virus and other "security" methods are going to prove as fruitful as DRM schemes in the end.
It's increasingly obvious that any security scheme can be broken, just as any DRM scheme can be broken.
At some point there has to be a cost analysis where people end up just saying, "fuck it!"
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
No. If done correctly, this will ONLY appear when they are installing something that is dangerous.
Because most users don't intentionally install software that is that new. They install Acrobat Reader and there is no pop-up. They install WoW and there is no pop-up. They install Trillian and there is no pop-up.
They try to install SexyLadies.jpg.exe and there is a warning pop-up. Whoa! That was unexpected. That didn't happen the other times.
If they're really pro-active they'd have an online option to check the file. Yep. It's infected with CodeSlammer3000.
Now, SOME users will install it any way. So what? This is about IMPROVING computer security. Not achieving 100% perfection.
So in other words, you're saying preinstalled Windows is free only if your time is worth nothing. Where have I heard that one before?
From everyone, because it's true. That's exactly why I moved away from Windows for all things computing. Life is too short and brutal as it is.
Viruses exist for all operating systems.
Dinasaurs exist too! Because there were some around, once. Of course there are not any now but according to your warning I should treat equally the threat of a T-Rex coming through my window as I would a coyote, because after all even if one system has no viruses in the wild and the other system has tens of thousands, they are obviously equal because you say they are!
If Linux had majority desktop market share, it would have the same virus problem as Windows.
This "fact" was debunked long ago by OS X virus count related to market share. Or if you prefer, the dearth of viruses for any popular mobile platform.
Windows has RTM through Service Pack 3; Ubuntu has Hardy Heron through Karmic Koala.
You are trying to make Linux look bad but honestly to the average person the left and right side of that equation are just gibberish.
What operating system doesn't need to reboot for a kernel update?
The question is not rebooting for kernel updates, it's how much is in the kernel (after all the more that is there the more updates will require a restart) and how frequently (in real life) you need to reboot.
That said, there have been a number of OS'es that do not require reboots for kernel updates - not even Linux if that is what you care about.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
In a related story, the National Building Code and the construction industry have failed to protect homes and offices from burglaries.
We keep trying to solve a social and economic problem with cryptography. Deadbolts are nice, but crime is a problem that can't be addressed solely by architecture.
is free only if your time is worth nothing.
That's exactly why I moved away from Windows for all things computing.
Now that you are Windows-free, how do you buy peripherals while making sure that they work with your preferred non-Windows OS? For peripherals that need drivers, such as printers, scanners, and video cards, the box often doesn't list compatibility with anything but Windows and Mac OS X.
If Linux had majority desktop market share, it would have the same virus problem as Windows.
This "fact" was debunked long ago by OS X virus count related to market share.
Mac OS X has 11 percent market share. I was talking about 51 percent.
The question is not rebooting for kernel updates, it's how much is in the kernel (after all the more that is there the more updates will require a restart) and how frequently (in real life) you need to reboot.
And for both Windows and Ubuntu, it has been about once a month.
The problem is the separation between user and administrator. If you want any kind of security you need the situation where the user asks the administrator "Can I install WeatherBug?" and the administrator says "No!".
If you do not have this separation and ability to deny, you have a home computer. A home computer that when Mommy wants to install WeatherBug she will do it, following whatever instructions are given to her. This means if she was installing it on Linux and it required her to enter an sudo command, she would do it. Period. Without question. Because to do otherwise would not get the desired software installed.
As long as you have that kind of environment, there is no security. Windows isn't important. The lack of real administration and the ability for users to install anything is the only thing that is important.
Specifics?
The things that made Windows intrinsically insecure have been gone for a decade.
If you want any kind of security you need the situation where the user asks the administrator "Can I install WeatherBug?" and the administrator says "No!".
I spent a lot of time as a network admin, and I only once had a user repeatedly infected by deliberately installing malware. LOTS of people infected by clicking 'oh, sure, go ahead and infect me' over and over again. But it seems to be a LOT easier for people to learn from being bitten by installing things than from just clicking "go ahead" on a dialog.
So... the big problem is not people deliberately installing things that bite them, it's people accidentally installing things because the system made it hard to tell that this time they're installing a virus instead of any of the three thousand other things that open up confusing dialog boxes. I think you'd get about 96.44% fewer repeat incidents if you changed the user interface from:
Browser asks user "A webpage you probably shouldn't trust has asked me to do something that's probably stupid, should I do it?"
To:
Browser tells user "I just downloaded a file into your downloads directory."
And let the user open the folder and have an opportunity to go "oh, that's probably something I don't want to open".
Because their computer is ALWAYS asking them "hey, can I do something that might be stupid?", so it's easy to reflexivly click "infect me".
As I mentioned before, the web in a way handles this by simply not allowing "web applications" to do anything really damaging. That concept is how I think applications should actually evolve, although it is hard to define "not doing damage" for an application.
The Sugar operating system on OLPC's XO-1 laptop has an interesting model for sandboxing applications, called Bitfrost. But then Bitfrost presents a new API onto which Win32 and POSIX don't easily map.
To some extent, current anti-virus companies, I believe, handle this by continually checking their software against popular software packages and making sure they do not get marked as false positives (or, well, actually have viruses in them).
Some do a better job than others. ClamWin, in particular, uses the ClamAV definitions that are designed more for scanning e-mail than for scanning a hard drive, and for files that aren't often e-mailed (such as Excel.exe), ClamWin shows all sorts of false matches.
In short, yes, whitelisting has issues because, as you say, maintaining the whitelist sanely and securely is a difficult (impossible?) problem.
It's possible if you're Microsoft or Apple. These companies have the resources to maintain a central whitelist called Xbox Live Marketplace or App Store, and their platforms are popular enough and homogeneous enough that they can get away with charging developers $99 per year for XNA Creators Club or iPhone Developer Program to run self-compiled programs on a developer's own machine. Frankly, I prefer the Bitfrost model more.
there are three problems here.
one is, the bad social engineers are winning because the customers are dumber than rocks on click-here installs.
second, anything can run on your computer because we have defined all content good until proven otherwise -- but we can only stop entire sites or entire classes of content based on how it runs if we prove otherwise. custs then work around the controls, see #1 above.
lastly, nobody has even tried to stop embedded crap like loaders in jpg files or poison flash.
we need to start thinking of security as if we were warlords. your crap can't modify OS files -- and the OS can't modify OS files -- without going into a strictly protected mode, a ring-zero concept. and a lot of slop in standards that allows runtime stuff in ostensibly banal purty pictures has to be cleaned up on both the creation and execution sides.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Here's a fun game: any time you see the word "faces" in a headline, substitute in your mind the word "feces".
Ah, good times....
The problem is that the bad guys can buy this technology too, and test and re-test their attacks until they slip through. "Anybody can download and try every single antivirus engine against their malware before they ship it," Stamos said.
Ah, I have the solution. Antivirus software should keep the crap it finds a secret, in case bad guys are running it. That way, they'll never know!
*facepalm*
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
>There is nothing intrinsic to Windows which makes client software more susceptible to these things
Let's look at your own points.
>It's far more common for a modern virus to be spread by an infected email
Infected email. There is no such thing at my Mac. One can send some bad thing to me by email, but then what? What do you mean "infected"? Looks pretty much Windows-intrinsic to me.
>drive-by download exploiting either the browser or a plugin
Again no such thing exists on my Mac. Well, probably Safari can be tricked to download an app or a disk image. But then what? It will not be started automatically and it can't do much without my explicit permission anyway. Windows-intrinsic No 2.
>to account for running under an account with reduced privileges
There is no such thing as "reduced privileges" in MacOS. There are "normal privileges". Everyone even an admin account runs with normal privileges. To do something dangerous even an admin account needs to ask for permission. Windows-intrinsic No 3. No, I am not nit-picking here. One thing is to recommend to "reduce privileges" for the enhanced security, the other - is to not having an easy way to run an account without these "reduced privileges".
>you don't need an enormous number of privileges to scan through a user's home directory and forward anything that looks interesting to a remote server
Anything interesting? Like passwords? Passwords are in the Keychain. You can't access the Keychain from an application that is not authorized to access the Keychain. The concept that you can harvest "many interesting things" just by scanning a home dir is definetely a Windows-intrinsic. No 4.
Have I missed something?
Who said anything about drivers? I'm not talking about drivers. I'm talking about user space applications.
Several user space applications require a driver in order to work. One of them is iTunes, whose installer installs both the user-space application called iTunes and a background app called iPodService that depends on a kernel module. When you install iTunes, the installer requests a restart so that iPodService. can start working The iTunes application itself still appears to work without a restart; it just won't find your iPod.
Why does a Windows word processor, document viewer, IM client, etc a reboot?
Say an app depends on a newer version of libc than the one that was shipped with the oldest supported version of Windows. Windows usually doesn't allow an open file to be deleted and replaced with a newer copy. So in order to replace libc, the installer has to either close all open applications dynamically linked to libc (not likely) or schedule the replacement to happen at restart.
How to identify a new virus?
By looking at what the program does.
* With partitioned application directories, any program that tries to write in another program's directory is suspect.
* The number of apps on most computers that need network access is fairly small. Your AV program should know that Adobe installs a program that periodically check's adobe's site for updates. That's fine. But adobe's updater shouldn't be trying to send mail to controller.botnet.ru
* The number of apps that need to run with other than user permissions is small. The AV program should know what these are.
Third Career: Tree Farmer Second Career: Computer Geek First Career: Teacher, Outdoor Instructor, Photographer.
I do agree that traditional security measures are insufficient to stop these attacks. The IT security landscape is an arms race right now, and if you are only using antivirus then you are bringing a knife to a gun fight. For example, McAfee offers an application whitelisting product that stopped the "google hack" from running on hosts: http://www.youtube.com/watch?v=LeYgq27zPw4
Also, McAfee has network products (like their web gateway http://www.youtube.com/mcafeetechnical#p/c/F7284D8F9389F0F0/9/rsg0KlCHZgk) that detected the attack at the perimeter and blocked it.
In my opinion, consumers and organizations are not taking the threats seriously enough. There are products on the market that could protect them, but they chose not to use them. Or, worse, they have bought them and have them woefully misconfigured.
There needs to be a shift from reactive measure like antivirus to pro-active measures like application whitelisting. Also, the ability to automatically write antivirus signatures is pretty cool (http://www.mcafee.com/us/enterprise/products/artemis_technology/index.html) but not as effective as whitelisting.
The way Windows is setup, they have a built-in rootkit path for applying patches (stuff that must be written to OS files). Those helpdesk apps that take over your computer or let someone else see your screen work off the same 'exploits.' Don't expect any of those capabilities to go away (and don't assume Linux, VMS, OSX and all other opsys's aren't equally as vulnerable).
See the subject-line above, & realize 1 thing: Since your *NIX variants allow javascript to run in webbrowsers or HTML-based emails, or other scriptable document types even (such as Adobe .pdf files that are malcripted), they're just as attackable... period. The only reason your *NIX variants aren't attacked as much is that they don't represent enough of an "attack surface" to go after (they have the "advantage" of "security-by-obscurity"), & since Windows represents a good 95% or so of the actual user-base out there, it only makes sense for malware makers/hackers-crackers & the like to target attacks towards Widnows, vs. other OS type variants (especially using attack mechanisms of the kind I noted above, which are just as useable on *NIX variants as they are on Windows).
"When you hear about a massive distributed attack against Mac OS X and linux which goes undetected for a while, let us know." - by Azureflare (645778) on Friday March 12, @01:43PM (#31454480)
See the subject-line above, & realize 1 thing: Since your *NIX variants allow javascript to run in webbrowsers or HTML-based emails, or other scriptable document types even (such as Adobe .pdf files that are malcripted), they're just as attackable... period. The only reason your *NIX variants aren't attacked as much is that they don't represent enough of an "attack surface" to go after (they have the "advantage" of "security-by-obscurity"), & since Windows represents a good 95% or so of the actual user-base out there, it only makes sense for malware makers/hackers-crackers & the like to target attacks towards Widnows, vs. other OS type variants (especially using attack mechanisms of the kind I noted above, which are just as useable on *NIX variants as they are on Windows).
"the "victims" were all running MS Windows.." - by advocate_one (662832) on Friday March 12, @01:25PM (#31454260)
See the subject-line above, & realize 1 thing: Since your *NIX variants allow javascript to run in webbrowsers or HTML-based emails, or other scriptable document types even (such as Adobe .pdf files that are malcripted), they're just as attackable... period. The only reason your *NIX variants aren't attacked as much is that they don't represent enough of an "attack surface" for malware makers/hacker-crackers to go after (they have the "advantage" of "security-by-obscurity"), & since Windows represents a good 95% or so of the actual user-base out there, it only makes sense for malware makers/hackers-crackers & the like to target attacks towards Widnows, vs. other OS type variants (especially using attack mechanisms of the kind I noted above, which are just as useable on *NIX variants as they are on Windows).
"The Microsoft operating system has been, always will be insecure. No amount of anti this, anti that or how update date your windows box is; it is not safe to use for any kind of sensitive data." - by Stumbles (602007) on Friday March 12, @01:36PM (#31454396)
See the subject-line above, & realize 1 thing: Since your *NIX variants allow javascript to run in webbrowsers or HTML-based emails, or other scriptable document types even (such as Adobe .pdf files that are malcripted), they're just as attackable... period. The only reason your *NIX variants aren't attacked as much is that they don't represent enough of an "attack surface" for malware makers/hacker-crackers to go after (they have the "advantage" of "security-by-obscurity"), & since Windows represents a good 95% or so of the actual user-base out there, it only makes sense for malware makers/hackers-crackers & the like to target attacks towards Windows, vs. other OS type variants (especially using attack mechanisms of the kind I noted above, which are just as useable on *NIX variants as they are on Windows).
"You mean like how OSX and Linux does WITHOUT Antivirus?" - by Lumpy (12016) on Friday March 12, @02:22PM (#31455024) Homepage
See the subject-line above, & realize 1 thing: Since your *NIX variants allow javascript to run in webbrowsers or HTML-based emails, or other scriptable document types even (such as Adobe .pdf files that are malcripted), they're just as attackable... period.
The only reason your *NIX variants aren't attacked as much is that they don't represent enough of an "attack surface" for malware makers/hacker-crackers to go after (they have the "advantage" of "security-by-obscurity"), & since Windows represents a good 95% or so of the actual user-base out there, it only makes sense for malware makers/hackers-crackers & the like to target attacks towards Windows, vs. other OS type variants (especially using attack mechanisms of the kind I noted above, which are just as useable on *NIX variants as they are on Windows).
"The reason a user can overwrite something in system32 is more an OS security issue than an antivirus security issue. An exploit often runs with administrator rights, (because that's how many Windows users run) and therefore can overwrite anything in the system." - by NotBornYesterday (1093817) on Friday March 12, @04:03PM (#31456472)
First of all - Your nick seems to imply that others may have been "born yesterday", because you're way, Way, WAY "off" on current versions of Microsoft Operating Systems!
(I stated that because what you've just stated doesn't hold true on Windows VISTA, or Windows 7 (or Server 2008) by default)
Additionally, see the subject-line above, & realize 1 thing: Since your *NIX variants allow javascript to run in webbrowsers or HTML-based emails, or other scriptable document types even (such as Adobe .pdf files that are malcripted), they're just as attackable... period.
The only reason your *NIX variants aren't attacked as much is that they don't represent enough of an "attack surface" for malware makers/hacker-crackers to go after (they have the "advantage" of "security-by-obscurity"), & since Windows represents a good 95% or so of the actual user-base out there, it only makes sense for malware makers/hackers-crackers & the like to target attacks towards Windows, vs. other OS type variants (especially using attack mechanisms of the kind I noted above, which are just as useable on *NIX variants as they are on Windows).
The costs you face are having operating systems that don't do 1/2 as much and have only 1/2 the software (or in some cases, hardwares too in peripherals that lack say a *NIX driver) for any kind of purpose there is. How can I say that? Look at any software store and see how many apps are there for Microsoft products, vs. Linux, MacOS X, or any *NIX variant. You also have to consider the reason that it PAYS to build applications for Windows, whereas it does not for *NIX variants (especially the freebie ones). Also, realize 1 thing: Since your *NIX variants allow javascript to run in web browsers or HTML-based emails, or other scriptable document types even (such as Adobe .pdf files that are malscripted), they're just as attackable... period. The only reason your *NIX variants aren't attacked as much is that they don't represent enough of an "attack surface" to go after (they have the "advantage" of "security-by-obscurity"), & since Windows represents a good 95% or so of the actual user-base out there, it only makes sense for malware makers/hackers-crackers & the like to target attacks towards Windows, vs. other OS type variants (especially using attack mechanisms of the kind I noted above, which are just as usable on *NIX variants as they are on Windows).
What you are talking about seems more like a firewall than an anti-virus, right?