Stuxnet's Legacy: Get Back to Basics or Get Owned

Gunkerty Jeb writes "Attacks such as Stuxnet, Operation Aurora or GhostNet are not what most enterprises and organizations need to be worried about. The plain fact is that most organizations are falling far short in protecting against the same threats that they've faced for the last 10 years. SQL injection, phishing, malicious attachments, social engineering. Old, every one of them. And yet, still incredibly effective at compromising networks in some of the best-known and theoretically best-protected companies."

Security is hard

No matter how much companies (and individuals) would like to pretend otherwise, security is really hard to do. It's not just a matter of having the right technology in place; people have to follow some inconvenient rules and exercise self control and common sense.

So we're always going to have some of these problems.

Re:Security is hard

Exactly. Vigilance ... and trying to protect clients/users/family from themselves ... is the only way to be sure.

if somebody needs to be protected from themselves i say fuck it, let them get 0wned. see if they ignore your advice next time. if they do it enters this beautiful category called not your problem. there is nothing cruel about that. you cannot help people who do not want to help themselves. you can only respect their decision.

everything that follows is hypothetical in nature. i do not advocate anybody actually do this. but if it happened anyway even though i do not advocate it, i will explain what the results would be.

in my personal opinion i almost wish somebody would just go ahead and make some truly destructive malware. something designed to spread for a little while and then securely wipe every last writable partition it can access. let it use already patched vulnerabilities only. that'd be the best way to take the insecure machines offline until their owners get a clue or hire somebody with a clue. i like that better than isps becoming the malware cops. i like that better than organized criminals having a steady supply of huge botnets to do their bidding and give them anonymity.

less pain for everybody involved that way. the irresponsible idiots don't turn into spam-spewing ddos-attacking botnet members and that benefits everybody else. the irresponsible idiots also don't have to worry anymore about keystroke loggers and other shit taking their financial details since those dont run so good on totally blank hard drives...

see folks that would be addressing the source of the problem. the problem has two aspects really. aspect one - people refuse to secure their systems and resent you for telling them that expecting them to be experts is unreasonable but they should at least do a little reading and attain at least basic competence. aspect two - the same people think "oh my computer is just slow these days" instead of realizing this is a problem they need to do something about NOW. malware designed to destroy as much data as possible that only uses security flaws they should have already patched is ideal for preventing the incompetent from inflicting their stupidity and laziness on the rest of us.

Re:Security is hard

[PhilipTheHermit]

There are a few things you can do, though:

1) Don't let your developers go berserk with their framework of choice. Standardize on something company-wide, thoroughly audit/evaluate it as a platform, assign staff to maintain and patch it, and train everyone else on how to securely develop for it. I know corporations hate to train or otherwise improve their staff, but at some point they're going to have to bite the bullet.

2) Build an internal team and use them for your development needs. Mentor them, build institutional knowledge, have a succession plan in place. Stop contracting everything out to the other side of the planet and then feigning surprise when it falls over in the first stiff wind.

3) SIMPLICITY IS YOUR FRIEND. Don't let your developers make your site complex because they want to work with a cool framework or show off their skills. Do design reviews and simplify, simplify, simplify.

4) Treat all new developers as apprentices, and make them work under a "journeyman" for their first year (usually their probationary period) until they prove themselves and have learned how you do things.

It's not rocket science, it's common sense. Well... Common among older programmers, anyway.

Re:Security is hard

[Duradin]

Girls being used to social engineer men or using social engineering against men is as old as it gets. I'll leave it as an exercise for the reader to google up the reason why it works.

Re:Security is hard

[maxume]

Biometrics are terrible. You leave fingerprint everywhere, most fingerprint readers seem to be incredibly easy to bamboozle, it gives incentives to detach fingers, it is hard to get new fingerprints if you find out the ones you have are compromised, and on and on.

Now, for certain types of authentication they probably make a lot of sense, but not for medium value authentication across miscellaneous un-managed hardware.

This is more of an open problem

[IgnitusBoyone]

Well, the problem with most of these is even if you know about them it only takes one lazy employee to introduce them. So, its hard to be 100% vigilant against the threats and because it only takes one crack to break the damn, this makes it impossible for most security companies to improve.

Perspective

[TheRealMindChild]

SQL injection, phishing, malicious attachments, social engineering. Old, every one of them.

And every one of them gets learned the hard way by the new batch of up-and-comers. It isn't like the average knowledge of us IT folk has gotten any bigger. Old, season folks leave, and new, green folks join. Also, management.

Re:Perspective

[Rary]

Shouldn't it be possible for the old seasoned professionals to write libraries and tools that make SQL injection all but impossible? Then all you have to do is convince the green new up and comers to use the existing tools. Only downside is that the newbies don't learn the lesson, but this particular lesson is pretty costly to learn the hard way.

In IT, there is this general belief that the seasoned professionals, also known as "old timers", are filled with antiquated and useless knowledge, while the green newbies, also known as "cutting edge fresh talent", know all the whiz-bang new way of doing things.

Sometimes, this is true, but sometimes it is not. As long as we continue to view this industry as being one that changes so rapidly that everything learned last week is obsolete, we will continue to make the same mistakes and reinvent the same flawed wheels.

Give a damn

[Runaway1956]

Thank you, Anonymous Coward. You've helped me to figure out exactly why Linux is more secure than Windows. It isn't the operating system. It isn't the user. It isn't any application, set of applications, or combination of utilities. It's right there in your post. "average users wont start giving a damn" For the most part, Linux users are those who give a damn. The attitude - nothing more, nothing less. You've got to give a damn, or the best system is just a non-secure mess of code!

Re:Give a damn

[causality]

Thank you, Anonymous Coward. You've helped me to figure out exactly why Linux is more secure than Windows. It isn't the operating system. It isn't the user. It isn't any application, set of applications, or combination of utilities. It's right there in your post. "average users wont start giving a damn" For the most part, Linux users are those who give a damn. The attitude - nothing more, nothing less. You've got to give a damn, or the best system is just a non-secure mess of code!

I would add that there are reasons why systems like Linux appeal so much to this kind of user.

The biggest single one is that it doesn't assume you're an idiot. The system is built for users who intend to gradually become more and more familiar with how their systems work and how to maintain them. Users who traverse the learning curve at their own pace are rewarded with more and more ability to assume control and enjoy a system that does what they want the way they want to do it. You can also peek under the hood and see for yourself how things really work, with your skill level being the only limit. Generally things are made as simple as possible but no simpler, unlike Windows.

I would not classify Windows as easy to use, myself. I would call it easy to learn. Linux is quite easy to use if you have learned it. Learning how to use it is a one-time investment that continues to pay off. You can learn all about Windows but that won't make it much more convenient to automate, won't stop it from getting in your way whenever you try to do something advanced, and it won't stop it from trying to make you do things the way Microsoft intended.

The culture around Windows tends to encourage treating it like a black box and memorizing a set of steps to take in order to accomplish a specific task. The culture around Linux and Unix tends to encourage actually understanding how and why the tools work.

Linux also tends to be logical and predictable, the way you'd expect a machine to function. If something breaks, it broke for a good reason. It will stay broken until you fix it. When you fix it, it will stay fixed. You can actually get a meaningful error message that really does help you identify and isolate the problem. Windows has come a long, long way on these two points but it has yet to match the elegance of Linux and Unix. It's also helpful that all of the important configuration ultimately resides in plain text files. There is no opaque single point of failure like the Windows registry, which is a binary database that tends to become a mess over time.

I'd also say that the package management systems that come with Linux distros are vastly superior to the way software is acquired and installed on Windows. Instead of each third-party program having to chase down its own updates, often popping up nag screens requiring the user to complete the final step, you can update every last piece of software on your system with a single command. It's neater, less error-prone, and frankly less annoying. That counts for a lot considering how important it is to keep your system updated, considering how many Windows machines are compromised by exploiting already-patched vulnerabilities. Unfortunately I do not believe central software repositories would be possible on Windows, as the proprietary licenses of most Windows software would not allow third parties to redistribute them.

The users contributing the most to the rampant security problems are what I call permanent newbies. They hate learning new things. Somehow, they can use a tool for ten years without ever knowing much more about it than when they started. They don't even pick up knowledge here and there over time, let alone would they actively study anything. It is like they are too proud to do that. Asking them to do a bit of light reading for their own good is like asking an aristocrat to "fraternize with the help". It is a mentality to which I cannot easily relate. I cannot name anything non-trivial I do on a daily basis that I never learn new things about as I acquire more experience.