Slashdot Mirror
Security Industry Faces Attacks It Can't Stop
itwbennett writes "The takedown of the Mariposa botnet and so-called advanced persistent threat attacks, such as the one that compromised Google systems in early December, were hot topics at the RSA conference last week. What both Mariposa and the Google attacks illustrate, and what went largely unsaid at RSA, was that the security industry has failed to protect paying customers from some of today's most pernicious threats, writes Robert McMillan. Traditional security products are simply not much help, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. 'All of the victims we've worked with had perfectly installed antivirus,' he said. 'They all had intrusion detection systems and several had Web proxies scan content.'"
the "victims" were all running MS Windows...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
[citation needed]
Oh and conspiracy theories are not adequate citations. You could at least try to not sound like an idiot.
"I use a Mac because I'm just better than you are."
Perfectly perfect installs of antivirus? As in, perfect enough to be NSA backdoors? Other articles mentioned that the exploits were there because of NSA mandates for data access that we can safely assume to include internet-facing Windows computers. If that's true, then the NSA are a helluva lot more stupid(or lazy) than they claim to be.
Yeah and then Schneiner stated in a retraction that that wasn't the case.
The "security industry" is NOT interested in putting itself out of business by selling WORKING products.
That's why the "perfectly installed antivirus" gets daily updates and STILL CANNOT TELL A GOOD FILE FROM A BAD FILE.
Here's a radical new concept. How about an antivirus program that BLOCKS file writes to the operating system UNLESS that file can be confirmed to be "good"?
It's far easier to identify the files that SHOULD be allowed than it is to identify a possible threat.
The security industry will always be unable to protect everyone 100% of the time. It is impossible to protect the clueless from anything.
AntiVirus is imperfect as it relies on signatures and known processes, and will always be imperfect. Same with IDS and the lot of it.
In my opinion, as long as the security industry, and end-users as a whole, continue with the thought that end-user basic security ignorance is OK, things will never get better. The sooner all end users are clued-in instead of clueless, the sooner we may have a ray of hope.
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
If the "M" virus hits the RSA conference, it it the MSRA virus?
Free Martian Whores!
This is a terribly ignorant statement. The security has actually succeeded in protecting paying customers from all but the most pernicious threats. IT security is about reducing risk, and that's what it does--successfully.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
The Microsoft operating system has been, always will be insecure. No amount of anti this, anti that or how update date your windows box is; it is not safe to use for any kind of sensitive data.
My karma is not a Chameleon.
Kittens don't have hands. They have paws. But yes, I agree with you. Maybe seeing a few pictures like that would get people to stop clicking the links.
Film at 11.
One thing that shouldn't surprise me anymore but keeps surprising me is that it seems like the more money you pay for software, the more half-assed it is. You get an off-the-shelf product like Quickbooks, it's impressive. You look at stuff that's industry-specific, specialized software that doesn't have a lot of competition, it costs thousands and feels primitive in comparison. It must be the lack of competition means there's no real reason to improve the product beyond what it already does.
I'm sure there are some exceptions to my experience, naturally. But these niche applications generally seem to be very expensive and primitive.
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
The dark side of computer "security" pays far better than the good side. I was contracted to setup a number of servers for a company, and as it turned out, they were part of this "dark side." I told them I had an ethical conflict, and decided to remove myself from the situation about 2 hours into it.
The problem is, other than the coders and the boss, many people do not know they are working for these companies. This particular company had about 15 people. 3 were in the know, the other 12 were support for shipping, gathering information, making contacts, and advertising, etc. When dealing with spyware/malware, there is a lot of butt covering, and evasion.
The programmers in particular were amazing coders, some of the best that graduated at the same university I went to. This is how I got contacted to help. Only after we started talking did I realize what they were all about. The pay was almost double what they would have made at a legitimate company.
How about an antivirus program that BLOCKS file writes to the operating system UNLESS that file can be confirmed to be "good"?
Who has the authority to confirm, say, your shopping list as good? Or, if you're considering only files marked executable, a shell script that your co-worker wrote?
There is no perfect security, offline or online.
I like to say there are 3 main types of attacks:
We have mechanisms that are pretty good at class 1. We can shore up our defenses enough to not be the low hanging fruit to get some protection against level 2.
Level 3 is only starting to enter the public eye. There is no defense that will withstand a well funded targeted attack. The best you can do is make it too difficult for most attackers, and monitor and clean up after the really good ones.
This is true for airline security, concert security, bank security, web site security, and network security. There is no impenetrable defense for any of these. You minimize the risk as much as you can, then build your systems so they can be effectively monitored and rebuilt/restored in case of attack.
Blessed are the pessimists, for they have made backups.
That's what makes "spear-phishing" so ridiculously dangerous - if the attacker is spending his entire day on you specifically, you're going to need a little more than an off-the-shelf unmonitored solution. And if you're a "high visibility target" then you are going to need even more, defense in depth and a dedicated team for your security. It's not reasonable to expect "but I installed Norton!" to come from a CEO of a big company for example. Bigger assets require better, customized defenses.
Bigger targets attract more than script kiddies and people that are buying hacking kits. They attract entire groups and organizations of highly skilled and specialized hackers that know how to analyze your defenses, have experience getting around all but the industrial grade security tools, and can customize their work and cover their tracks.
It's no different than complaining that neighborhood security is a mess because your padlock didn't keep your bike from getting stolen. If you have a really nice bike, and a smart thief really wants it, you'd better have something better than a crappy $7 masterlock on it. You can't blame the lock if the bike gets stolen. You were using the wrong tool for the job and the outcome should come as no surprise. You were expecting way too much (security) from way too little.
I work for the Department of Redundancy Department.
The problem is that they haven't even hit the 50% mark. They cannot even, reliably, detect threats that are over a year old.
Exactly. Which is why that needs to change. Instead of trying to chase the latest variant of a threat, why not save time and effort and identify the LEGITIMATE files? Then, if something is trying to write a file to the OS portion of your drive, and that file is not recognized, it should block it (and MAYBE allow the user to override it after a few hoops and maybe online comparisons with the latest threat databases).
I think it is different. The "security industry" depends upon the ignorance of users and the continuation of those users being infected.
It is not in the "security industry"'s best interest to commit to real improvements in security.
e (damn /. and its short subject field).
Our state CISO was fired when he got back from the conference because he spoke about a hacking incident to the state's DOT site which allows one to schedule driver's exams. Apparently, it was initially presumed the attack came from Russia but was later found to have come from Philadelphia where a driving school had exploited a vulnerability in the web site to schedule more driving tests than there were allotted slots.
By exploiting this vulnerability, the driving school was able to close all available slots EXCEPT for the school so everyone else had to wait up to 6 weeks to schedule a test.
He was a scheduled presenter with over 24 years in IT in both the public and private sector. He was recognized, according to the RSA schedule, as "one of the most high-profile experts in the field of securing the data of American citizens today."
As you read the comments after the article, it's clear that some folks with knowledge of the subject insist he went out of bounds on the subject while others consider what he did to be a normal part of the IT security process.
I'm only posting this as it does relate to the overall RSA conference. Note that the web site indicated will probably prevent reading the article after a certain time has passed so read it now. In addition, here are two other sites which talk about the firing:
Site one
Site two
Further, here is an article which talks to the firee after he became the state's first CISO and what he had to contend with.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
No? Then it isn't an issue.
Now, if you're trying to store your shopping list on c:\windows\system32 ... then the anti-virus app should block you.
As for who has the authority ... that would be the anti-virus vendor. The same people who you've given the authority to tell you what is a virus today.
A side benefit of this would be that the anti-virus app could also tell you that you have vulnerable, unpatched apps on your system.
How can a perfectly installed AV detect a new virus or malware that does not have a previously identified signature? Or is being implemented in an entirely new way which is not currently in the AV or security programs list of possible intrusion scenarios? Av and security programs are nothing more than window dressing allowing IT execs to say look we are doing all we can to prevent these problems what else can I do? Their bosses see the programs running and believe they are safe.
An AV program will never prevent new viruses, once a new virus is in the wild it will infect a certain amount of users, once it is recognized to be a new virus the AV companies will create a definition for it. There are always a few unlucky ones who will be infected, this is a given. But not something any AV company will admit too. At this point it is the responsibility of the IT staff to do the only guaranteed thing which will remove the virus, format the drive and reinstall the OS. Too many people feel they can remove the infection, and while this may be true in a very limited amount of cases, there is always the possibility that the virus your AV has recognized is a variant which is still unknown.
Let's face it, the only reason people realize they have a virus is because their computer starts acting "funny". A well written virus may never produce any indications of an issue and may go on working happily until either the usr renews their AV program or retires their computer.
you don't need to click any more. Most of the malware I'm cleaning up these days is delivered via Flash, and distributed by advertisement servers that have been hacked. All you have to do is visit a site that gets paid to serve random ads, and you can get infected.
You could at least try to not sound like an idiot.
Which is why I am staying out of this conversation ... except for that ... and that ... oh, never mind.
Yeah, read the whole thread. You might notice that that was my original point.
The "security industry" has no real interest in solving (or reducing) the problem because they're making so much money off of it.
If they did want to fix the issue, the simple example I gave would go a long way towards doing just that.
But they don't do that. See the sentence above the sentence right above this one.
We should feel lucky we don't have Cylons yet. They hacked 5 layers of firewalls in a matter of several minutes...and it took many episodes and a reboot via hot skin job sticking things into her arm before they finally removed all trace of the virus.
If security is that difficult, then why haven't all the banks been emptied by now?
There are some problems that you have to pay money to have.
True, but Windows OS isn't one of them. It costs just as much to buy a PC for a home or small office without preinstalled Windows OS as it does to buy one with preinstalled Windows OS. The common explanation for this is that major shareware publishers subsidize the cost of a Windows OS license by paying PC makers to include unregistered versions of their products in the default install.
You are asserting that the costs of a computer end at purchase, they do not. With Windows, the purchase price is only the beginning of your costs. Anti-virus, maintenance, upgrading, rebooting, these costs dwarf the purchase price.
Obviously it must be one of those national security letters that let them do anything and nobody can talk about having gotten one.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Your mom.
Possibly mine also ...
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
When people call me a thief for viewing pages without ads (by blocking Flash), I rebut with this. I trust Slashdot. I may not trust Slashdot's advertising partners. And Slashdot doesn't (and probably can't) vet the ads before they're displayed.
Here's a recent example of malware-infested ads appearing on a pretty big site:
http://news.cnet.com/8301-27080_3-10466753-245.html
Specifically ads included in the Drudge Report:
http://news.cnet.com/8301-27080_3-10466044-245.html
I've often been tempted to go all out with ad blocking, not because I hate ads, but because a new exploit could make e.g. simple images a vector for attack.
well, my BIND does announce itself as a win95 Beta version...
and my semi automated countermesures do ban your IP for 24 hours everytime it detects something I didn't explicitly allow
and my firewall rules begins by Deny All
I just love heterogenous IT systems... makes it moderatly harder to penetrate.
But hey, just a suggestion to all the precedent posts : /sarcasm engaged //sarcasm ends, logic loop detected
IF OSX IS SO SECURE, WHY NOT MAKE ALL WAN FACING FIREWALLS/PROXIES WITH MACS
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
So in other words, you're saying preinstalled Windows is free only if your time is worth nothing. Where have I heard that one before?
No, he's saying that the total cost of Windows is greater than the purchase cost of Windows. He's also saying that the total cost of Windows is greater than the total cost of some alternative, one which doesn't have the same problems.
Viruses exist for all operating systems.
True.
ake GNU/Linux on x86 for example: a virus running as a limited user can infect all programs installed into a user's home directory.
Also true, with the caveat that on GNU/Linux, a downloaded virus doesn't automatically have the ability to be run.
If Linux had majority desktop market share, it would have the same virus problem as Windows.
This is a non-sequitur, none of your prior assertions implies this.
Windows has RTM through Service Pack 3; Ubuntu has Hardy Heron through Karmic Koala.
Number of upgrades is meaningless, cost of upgrades, in both time and money, is meaningful.
What operating system doesn't need to reboot for a kernel update?
I'm not sure about other *nixes, but rebooting for a kernel update isn't strictly necessary in Linux if you use KSplice.
http://www.mhall119.com
Or we could do true layered defenses in security and redesign the OS to support them. Don't put crap into ring 0 just for "performance" purposes. Use micro-kernels and use messaging systems for interprocess communications. Place OS files into their own, protected partition and control access rigorously. Sign them. Allow unsigned drivers if need be, but sandbox them. Limit "shared" libraries and directories (hello Microsoft and Adobe). Drop legacy application support unless seriously sandboxed in a virtual environment. Heck, sandbox current applications the same way. And so on.
Today's processors and multi-core systems are fast enough to handle the overhead. Drives are huge. Allocate a full 10% of the processor budget to security. Why should we not sacrifice a few FPS in Quake or Unreal for hardened systems that are much, much, much more resistant to tampering and infection?
We know what we need to do. Just do it.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
True, a downloaded malicious program needs to be chmod +x, just like the installer for any other program that sits outside the package system. But what exactly were you talking about?
The comparison I was making was to downloaded .exe files in Windows, which by default are executable.
The only time you need to pay for a Windows OS upgrade is either A. for a new machine or B. for the equivalent to an upgrade from one Ubuntu LTS to the next LTS.
A regular release upgrade in Ubuntu is not equivalent to a ServicePack in Windows. Nor is an LTS release upgrade necessarily equivalent to a regular release upgrade in Windows. But either way, Ubuntu releases will continue to be free, where as you'll eventually run out of SP upgrades on your version of Windows.
Ksplice costs 48 USD per year [ksplice.com] unless you're on Ubuntu, and it isn't available for SuSE or Fedora at all.
KSplice Uptrack is a service that costs money. KSplice itself is open source, and available for free.
http://www.mhall119.com
As I mentioned before, the web in a way handles this by simply not allowing "web applications" to do anything really damaging. That concept is how I think applications should actually evolve, although it is hard to define "not doing damage" for an application.
The Sugar operating system on OLPC's XO-1 laptop has an interesting model for sandboxing applications, called Bitfrost. But then Bitfrost presents a new API onto which Win32 and POSIX don't easily map.
To some extent, current anti-virus companies, I believe, handle this by continually checking their software against popular software packages and making sure they do not get marked as false positives (or, well, actually have viruses in them).
Some do a better job than others. ClamWin, in particular, uses the ClamAV definitions that are designed more for scanning e-mail than for scanning a hard drive, and for files that aren't often e-mailed (such as Excel.exe), ClamWin shows all sorts of false matches.
In short, yes, whitelisting has issues because, as you say, maintaining the whitelist sanely and securely is a difficult (impossible?) problem.
It's possible if you're Microsoft or Apple. These companies have the resources to maintain a central whitelist called Xbox Live Marketplace or App Store, and their platforms are popular enough and homogeneous enough that they can get away with charging developers $99 per year for XNA Creators Club or iPhone Developer Program to run self-compiled programs on a developer's own machine. Frankly, I prefer the Bitfrost model more.
Coolest troll of the year, you even got modded insightfull. Now, I do have mod points, but it's more fun to refute your "proof" than to mod you down.
A proof in Logic is the situation where every row in the table contains "true", in other words, if the statement is a tautology. Now in the truth table you linked, the second line is false, so you cannot prove "if p then q" for every "p" and "q".
Now you could argue that we're not talking about every "p" and "q", but only about the true ones. But then you would establish causation between every two true propositions:
From p = "1 + 1 = 2" and q= "France is a European country"
would follow, by your logic, "if p then q" and also "if q then p".
Even more, from the table you could prove that "if 1+1=3 then France is a European country" and "if 1+1=3 then France is an American soft drink" as being true.
For classical proposition logic, the "content" of a proposition is its truth value and nothing but its truth value. This is fine for AND, OR and NOT, but with "IF THEN" you get all kinds of problems. The material implication is not a good model for causation, that's why there are things like for example relevance logic.