Slashdot Mirror
The Effect of Snake Oil Security
Trailrunner7 writes "Threatpost has a guest column by Robert Hansen (aka Rsnake) about the long-term effects of snake-oil security products. 'I've talked about this a few times over the years during various presentations but I wanted to document it here as well. It's a concept that I've been wrestling with for 7+ years and I don't think I've made any headway in convincing anyone, beyond a few head nods. Bad security isn't just bad because it allows you to be exploited. It's also a long term cost center. But more interestingly, even the most worthless security tools can be proven to "work" if you look at the numbers.'"
I think it's also a very hard concept that Good security can fail some times as well, so it's hard for some managers and others to understand the difference between good security failing and bad security having really never worked at all...
Good security can fail when new venerabilities are found, when risk assessments are not up dated in a timely manner, to do human / operator errors, etc.
http://www.hawknest.com/
Insightful article. It was worth it just to read the bear in the woods analogy, which will give you a good laugh.
Statistics can be made to show anything, managerial and C-level executives have to be more responsible and in the end it's cheaper to just let the customers eat the costs of bad security rather than fail trying to do something about it.
The main problem imho is that there are no real punishments when something goes bad. If somebody gets hacked the old adage of "it's happening more often throughout the industry" is used to redirect the blame from the gatekeepers to the attackers. If somebody doesn't get hacked while the competition is, the executives get praised even though they might not have done anything meaningful. Back in the day when castles (security products) were used to protect a lord (the data or the company) and the gatekeeper (managers and sysadmins) didn't do their job, the gatekeeper would get flogged, stripped naked and/or executed. The soldiers didn't blame someone else when somebody invaded their castle and they didn't pat themselves on the back as 'doing a good job' when the neighboring castles were ransacked.
Security procedures have nothing to do with the rest of the industry. Most likely they're unique to your company and structure, and one time, you're going to be up for a targeted attack and you should be ready at all times.
Custom electronics and digital signage for your business: www.evcircuits.com
I think we will solve the issues of computer security about the same time we figure out how to deal with conflicts within ourselves and humanity.
When your webserver dumps its cargo at the first sign of an Imperial Cruiser ...
I'm afraid it isn't, and a bit of reading between the lines in the article would allow you to figure this out.
The types of attack which Windows is most infamous for - true self-replicating viruses and trojans that require you to be running as a local admin for them to work - are an endangered species. Newer attacks don't self-replicate like viruses and don't necessarily require you to be running as a local admin. Indeed, you can do quite a lot on any modern OS, be it Linux, some other Unix or Windows without being admin/root. You can certainly do enough to gain access to all sorts of juicy information and then pass it on through the Internet.
The main reason Windows is targeted by the malware authors - particularly on the desktop - is that a lot of the malware authors aren't doing it for interest, they're doing it for cash. What's the point in writing an exploit that will give access to a Linux desktop when you could write the exploit for Windows and target about fifteen times the number of potential victims?
Let's assume a drastic drop in Windows usage. Are the world's malware authors going to shrug their collective shoulders and say "Ah well, it was nice while it lasted"? Or are they going to say "Well, there's still lots of computers out there with lots of ill-informed people using them for things like banking, even if they're not running Windows. Wonder if there's any way to exploit them?"
Well, no. Most of them are configured to remove the possibility of that choice from the user - if they detect a virus, they quarantine the file and don't give you a choice. It's more that they can't detect everything. After that, it's not the virus scanners fault if users have poor digital hygiene.
For what it's worth, I run my personal Windows boxes without anti-malware and anti-virus, respect a few general principles, and don't have problems. But explaining this to common users seems to be impossible. They seem to be unable to apply general principles, instead needing specific directions for every little circumstance.
People will scoff at the idea that Unix has a more secure model, but really little things - like the executable bit, like not running as admin - raise the barrier for malware. .NET tried to implement a third way - by sandboxing applications - but it was realistically too much of a faff to configure, and not much good if you could still write all your malware in plain C.
It isn't just security. I supervise the IT audits in our company, and I can't list anymore how often fake procedures have been tried to pass of as actual processes. Right now, our software development managers try to tell everyone how "agile" they are - but the real work their people do has nothing to do with agile development whatsoever. I've seen so-called "change management" that wasn't worthy of even being in the same room with actual change management, and "access controls" that were essentially bullshit in paper form.
There are usually two causes for this: Malicious people who are greedy for either power and/or money, or incompetent people who don't understand what they're doing (or managing) but are too afraid to ask for help and too stupid to find it on their own. Both kinds of people try to pass off what they're doing as the real thing and will respond to any attempts at questioning or changing it with hostility. In fact, that hostility is a pretty good indicator of both snake oil and incompetence.
Assorted stuff I do sometimes: Lemuria.org
That works well, until some jerk finds an exploit in Windows' TCP/IP stack and you get infected by a worm. Or a new attack vector comes out such as the ones that relatively recently allowed for images and PDFs to be infected. Running windows without antivirus and antimalware is irresponsible no matter how careful you are, it's not meant to preclude or replace and individuals responsibility, but it works well as a back up.
That's just the same old numbers argument... when really it is way easier to compromise a Windows box than just about any other OS around. If the situation were reversed and the alternative OSes still retained their level of security I do not think you would see the same level of threats as you do with Windows. That is of course assuming the increased number of users using alternative OSes do not do stupid shit like run as root or change login users to have root level access.
My karma is not a Chameleon.
Security is a process, not a product.
Every time, I mean *every damn time*, someone tells you only to buy this or that product to get more security, he/she is fooling you. Security is a process that needs knowledgeable people with the right tools and the right amount of time available, not just colorful boxes sold by well dressed salesmen. Unfortunately most execs still can't grasp that simple concept.
Ever since we installed the Springfield Bear Protection System, there haven't been any bears in our neighborhood! It works great!
Users will need antiviruses for linux in the event it's popularity goes up.
Because Linux software automatically runs executables downloaded from the Internet, right?
The idea of "antivirus" is idiotic to begin with -- analyze something you already have on your computer in hope to recognize something that already infected millions of computers before you (or otherwise how McAfee would know it?). Security comes from lack of vulnerabilities in your permissions/access model -- something that is pretty easy to accomplish as long as you develop such a policy in the first place. For example, modern Linux desktop environments handle .desktop files in an insecure manner, and this can be easily fixed by treating them as executable script files (no execute bit means you can't execute it) even though they are not scripts from kernel point of view. The fact that web browser always runs under a user ID of a user who started it is another thing that should be fixed, as it's too large to be a trusted program. However those things can and will be fixed without introducing "let's loof for 'sudo rm -rf /' everywhere" approach that only exists because Windows security model is broken and unfixable.
Contrary to the popular belief, there indeed is no God.
However those things can and will be fixed without introducing "let's loof for 'sudo rm -rf /' everywhere" approach that only exists because Windows security model is broken and unfixable.
No it's not. In fact, it's arguably better than Unix, insofar as you have much finer granularity in terms of what you can allow or disallow and who you can allow it to.
What is broken is that most applications utterly fail to respect it, hence the implementation in many organisations winds up screwed. You could argue this is because of history (Applications that were written in the days of '9x and have never been updated to account for a security model), because of laziness (too many software houses giving their devs admin rights) or because it's simply too complicated for its own good, but there's only one of those arguments which might reasonably be translated as meaning that the model is broken and unfixable.
linux has had a hell of a lot of security problems over the years.
I like linux, I like open source but it isn't magic.
pick an unpatched reasonably out of date linux system and you can find security holes in it.
linux seems to get patched slightly faster but that's about it.
it also seems to attract some of the more anal security nuts as devs for some crypto focused applications who err on the side of security vs usability since they can do it how they want rather than how some marketing manager wants.
it's biggest advantage is that linux tends to attract the kinds of users who keep their patches up to date and know to avoid some of the more foolish things you can do.
it's next biggest advantage securitywise is that attackers who are in it for the money are going to go after the largest pool of targets and simply put linux is still on the margins.
but linux is not a magic bullet.
if you replaced all windows machines in the world overnight with linux machines and put the same people in charge of them linux would fare little better vs the malware authors.
antivirus software is useless for actual security, in general by the time the AV detects it you've already been infected and the virus has done it's dirty work.(unless you're lucky and it catches it as it tries to infect you)
if it's a true worm chances are high you'll be infected before the AV company adds it to their database or before the update is downloaded.
Antivirus software is an example of enumerating badness.
You pay a company a few dollars a month to try to keep track of everything bad in the world.
which is a terrible way to do security.
even the best AV software has fairly crappy hit rates and will do nothing against a customized/targeted attack.
it's only true value is as a performance metric.(which is a has value in itself)
if the antivirus ever detects anything then it means all your real security has failed miserably.
putting antivirus on a computer eliminates the need for real security in the same way that counting the money in the bank once a week eliminates the need for vault walls.
it's a good thing to do but it's no substitute for real security.
Most recent attacks have been via stupid users, not buggy OS. The reason Linux hasn't been targeted is threefold: 1) next to nobody uses it, thus a waste of effort to write malware for it; 2) its users aren't retarded; 3) each distro is completely different, unlike different Windows versions.
TBH, the only thing that really helps with malware infections is having good backups, and a well practiced method of restoring data, either just grabbing a couple files, or a complete bare metal restore from boot media or a PXE server. The ideal media for backups is something that can be set to read-only like tapes or WORM media like optical. This way, malware can't alter the contents once written.
AV programs are nice, and sometimes they do catch a Trojan or two, but I've cleaned a lot of systems where the AV service was happily running side by side with the botnet client. Since a lot of new Windows malware encrypts sectors and parts of the OS to screw up safe mode booting, the only real way to get rid of a lot of infections is to save as much data off to an external drive, dd if=/dev/zero of=/dev/sda to completely zero out the drive (or even better HDDErase), repartition, and reinstall the OS and applications.
This is why I urge people to get a backup utility that is able to do backups daily automatically, preferably from a backup server.
No it's not. In fact, it's arguably better than Unix, insofar as you have much finer granularity in terms of what you can allow or disallow and who you can allow it to.
1. No, it's not. ACLs are available on Linux, however no one uses them because they are a stupid idea.
2. More complex system of permissions and restrictions is not what makes a system secure. To make system secure you have to have consistent policy and consistent implementation -- fine-grained control merely creates more possible ways to bypass things.
What is broken is that most applications utterly fail to respect it, hence the implementation in many organisations winds up screwed.
Applications are not supposed to respect it -- system has to force it upon applications. The fact that plenty of Windows applications still can't be brought to a condition when they don't break horribly under any sane security model, is another problem, and that problem that is specific to Windows.
Contrary to the popular belief, there indeed is no God.
Interesting question. Is there anything really impending Linux to automatically run executables downloaded from the Internet? I bet not.
It's executable permission bit. If a file is downloaded by anything other than package manager, it remains non-executable until the user explicitly sets it on the command line or in a scary-looking permission setting screen. Since all applications are installed in a package manager, the only time when user will want to touch executable bit by himself is when he is really sure he has to run a file.
So, on one hand we have that "the year of Linux on desktops" haven't reached yet because "cumbersome" limitations that make it "dificult for average joe" to use it, so "Linux isn't attacked by so many threats because it's more profitable to attack the wider Windows base"; in the other hand, as per current "analysis" from "experts" in order for Linux to take the desktop it should implement the same Windows easiness that allows for both "average joe" and the worms to take advantage of the platform.
Oh, I see. You are either a Microsoft astroturfer or an idiot, so you just copy-paste some of your "discussion examples" to make it look like you have something relevant to say.
Contrary to the popular belief, there indeed is no God.