The Effect of Snake Oil Security

Trailrunner7 writes "Threatpost has a guest column by Robert Hansen (aka Rsnake) about the long-term effects of snake-oil security products. 'I've talked about this a few times over the years during various presentations but I wanted to document it here as well. It's a concept that I've been wrestling with for 7+ years and I don't think I've made any headway in convincing anyone, beyond a few head nods. Bad security isn't just bad because it allows you to be exploited. It's also a long term cost center. But more interestingly, even the most worthless security tools can be proven to "work" if you look at the numbers.'"

Good, Bad and Ugly

[hhawk]

I think it's also a very hard concept that Good security can fail some times as well, so it's hard for some managers and others to understand the difference between good security failing and bad security having really never worked at all...

Good security can fail when new venerabilities are found, when risk assessments are not up dated in a timely manner, to do human / operator errors, etc.

Nice article, nice story

[suso]

Insightful article. It was worth it just to read the bear in the woods analogy, which will give you a good laugh.

Re:Nice article, nice story

Rudyard Kipling said it better...

IT IS always a temptation to an armed and agile nation,
To call upon a neighbour and to say:
"We invaded you last night - we are quite prepared to fight,
Unless you pay us cash to go away."

And that is called asking for Dane-geld,
And the people who ask it explain
That you’ve only to pay ’em the Dane-geld
And then you’ll get rid of the Dane!

It is always a temptation to a rich and lazy nation,
To puff and look important and to say:
"Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away."

And that is called paying the Dane-geld;
But we’ve proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.

It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray,
So when you are requested to pay up or be molested,
You will find it better policy to say:

"We never pay any one Dane-geld,
No matter how trifling the cost,
For the end of that game is oppression and shame,
And the nation that plays it is lost!"

not just security

[Tom]

It isn't just security. I supervise the IT audits in our company, and I can't list anymore how often fake procedures have been tried to pass of as actual processes. Right now, our software development managers try to tell everyone how "agile" they are - but the real work their people do has nothing to do with agile development whatsoever. I've seen so-called "change management" that wasn't worthy of even being in the same room with actual change management, and "access controls" that were essentially bullshit in paper form.

There are usually two causes for this: Malicious people who are greedy for either power and/or money, or incompetent people who don't understand what they're doing (or managing) but are too afraid to ask for help and too stupid to find it on their own. Both kinds of people try to pass off what they're doing as the real thing and will respond to any attempts at questioning or changing it with hostility. In fact, that hostility is a pretty good indicator of both snake oil and incompetence.

Re:not just security

[Garwulf]

I can vouch for that...

I used to work in the public sector. A few months before I left to return to school, we changed computer consultants to a new guy, and to this day I swear he was deliberately creating problems so he could bill us for solving them.

It started off with a computer audit. Now, I'm not a professional computer consultant, but I've been around computers pretty much my entire life, and my father used to be a consultant. My idea of an audit is to generate a list of what programs are running, what anti-virus programs are in place, what firewall is in place, what processes are running, etc. So, when I found out that my computer was about to be audited, I was prepared to be away from it for half an hour to an hour.

Instead, he checked the Windows version, and moved on.

Now, to understand this story, one of the things you have to understand is that I was an unofficial IT guy in the office. And, I had taken a couple of steps for basic security (this was back around 2003), such as moving everybody away from Outlook Express and onto Netscape mail. It was a small Windows 2000 network in a small office, and so long as it was kept behind a hardware firewall and nobody did anything terribly stupid, it was fine aside from the occasional software glitch.

The first recommendation that he put in, and management enforced, was to take everybody off Netscape and put them back onto Outlook Express. Massive infection of the entire network followed. Then, as I was the guy who started complaining that something was wrong here, he tried to blame me for hacking the system.

Now, this wasn't the main reason I left to go back to school (one of the problems with working in social services is that it can be very soul destroying work, and I had reached the point where I just couldn't continue any further), but it definitely gave me a good dose of snake oil before I left...

Re:It's the OS, stupid

[Stumbles]

What's the point in writing an exploit that will give access to a Linux desktop when you could write the exploit for Windows and target about fifteen times the number of potential victims?

That's just the same old numbers argument... when really it is way easier to compromise a Windows box than just about any other OS around. If the situation were reversed and the alternative OSes still retained their level of security I do not think you would see the same level of threats as you do with Windows. That is of course assuming the increased number of users using alternative OSes do not do stupid shit like run as root or change login users to have root level access.