Slashdot Mirror
Security Industry Faces Attacks It Can't Stop
itwbennett writes "The takedown of the Mariposa botnet and so-called advanced persistent threat attacks, such as the one that compromised Google systems in early December, were hot topics at the RSA conference last week. What both Mariposa and the Google attacks illustrate, and what went largely unsaid at RSA, was that the security industry has failed to protect paying customers from some of today's most pernicious threats, writes Robert McMillan. Traditional security products are simply not much help, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. 'All of the victims we've worked with had perfectly installed antivirus,' he said. 'They all had intrusion detection systems and several had Web proxies scan content.'"
the "victims" were all running MS Windows...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
The Microsoft operating system has been, always will be insecure. No amount of anti this, anti that or how update date your windows box is; it is not safe to use for any kind of sensitive data.
My karma is not a Chameleon.
Kittens don't have hands. They have paws. But yes, I agree with you. Maybe seeing a few pictures like that would get people to stop clicking the links.
The dark side of computer "security" pays far better than the good side. I was contracted to setup a number of servers for a company, and as it turned out, they were part of this "dark side." I told them I had an ethical conflict, and decided to remove myself from the situation about 2 hours into it.
The problem is, other than the coders and the boss, many people do not know they are working for these companies. This particular company had about 15 people. 3 were in the know, the other 12 were support for shipping, gathering information, making contacts, and advertising, etc. When dealing with spyware/malware, there is a lot of butt covering, and evasion.
The programmers in particular were amazing coders, some of the best that graduated at the same university I went to. This is how I got contacted to help. Only after we started talking did I realize what they were all about. The pay was almost double what they would have made at a legitimate company.
How about an antivirus program that BLOCKS file writes to the operating system UNLESS that file can be confirmed to be "good"?
Who has the authority to confirm, say, your shopping list as good? Or, if you're considering only files marked executable, a shell script that your co-worker wrote?
There is no perfect security, offline or online.
I like to say there are 3 main types of attacks:
We have mechanisms that are pretty good at class 1. We can shore up our defenses enough to not be the low hanging fruit to get some protection against level 2.
Level 3 is only starting to enter the public eye. There is no defense that will withstand a well funded targeted attack. The best you can do is make it too difficult for most attackers, and monitor and clean up after the really good ones.
This is true for airline security, concert security, bank security, web site security, and network security. There is no impenetrable defense for any of these. You minimize the risk as much as you can, then build your systems so they can be effectively monitored and rebuilt/restored in case of attack.
Blessed are the pessimists, for they have made backups.
That's what makes "spear-phishing" so ridiculously dangerous - if the attacker is spending his entire day on you specifically, you're going to need a little more than an off-the-shelf unmonitored solution. And if you're a "high visibility target" then you are going to need even more, defense in depth and a dedicated team for your security. It's not reasonable to expect "but I installed Norton!" to come from a CEO of a big company for example. Bigger assets require better, customized defenses.
Bigger targets attract more than script kiddies and people that are buying hacking kits. They attract entire groups and organizations of highly skilled and specialized hackers that know how to analyze your defenses, have experience getting around all but the industrial grade security tools, and can customize their work and cover their tracks.
It's no different than complaining that neighborhood security is a mess because your padlock didn't keep your bike from getting stolen. If you have a really nice bike, and a smart thief really wants it, you'd better have something better than a crappy $7 masterlock on it. You can't blame the lock if the bike gets stolen. You were using the wrong tool for the job and the outcome should come as no surprise. You were expecting way too much (security) from way too little.
I work for the Department of Redundancy Department.
The problem is that they haven't even hit the 50% mark. They cannot even, reliably, detect threats that are over a year old.
Exactly. Which is why that needs to change. Instead of trying to chase the latest variant of a threat, why not save time and effort and identify the LEGITIMATE files? Then, if something is trying to write a file to the OS portion of your drive, and that file is not recognized, it should block it (and MAYBE allow the user to override it after a few hoops and maybe online comparisons with the latest threat databases).
I think it is different. The "security industry" depends upon the ignorance of users and the continuation of those users being infected.
It is not in the "security industry"'s best interest to commit to real improvements in security.
you don't need to click any more. Most of the malware I'm cleaning up these days is delivered via Flash, and distributed by advertisement servers that have been hacked. All you have to do is visit a site that gets paid to serve random ads, and you can get infected.
Not automatic, but whitelisting security systems like that exist. Core Force is the one I know of. It has some sort of system for sharing whitelists for specific applications among users.
Centralization breaks the internet.
Your mom.
Possibly mine also ...
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker