Slashdot Mirror
Stuxnet's Legacy: Get Back to Basics or Get Owned
Gunkerty Jeb writes "Attacks such as Stuxnet, Operation Aurora or GhostNet are not what most enterprises and organizations need to be worried about. The plain fact is that most organizations are falling far short in protecting against the same threats that they've faced for the last 10 years. SQL injection, phishing, malicious attachments, social engineering. Old, every one of them. And yet, still incredibly effective at compromising networks in some of the best-known and theoretically best-protected companies."
No matter how much companies (and individuals) would like to pretend otherwise, security is really hard to do. It's not just a matter of having the right technology in place; people have to follow some inconvenient rules and exercise self control and common sense.
So we're always going to have some of these problems.
Slashdot editor's legacy: Get back to english class or get owned
Hell. Social Engineering is older than my knees and prostate combined!
Well, the problem with most of these is even if you know about them it only takes one lazy employee to introduce them. So, its hard to be 100% vigilant against the threats and because it only takes one crack to break the damn, this makes it impossible for most security companies to improve.
Momento Mori
Just because you can put a label on something doesn't mean it's simple or easy to defend against. SQL injection, yes. But phishing, malicious attachments, and social engineering aren't easy or simple to defend against. Well, you can get rid of malicious attachments by getting rid of all attachments, but even if that's practical, it leaves the rest.
Maybe one day people will take little Bobby Tables seriously. Frankly there is no excuse for stupidity. But you must bear in mind also that we will never run out of stupid people.
Seven puppies were harmed during the making of this post.
SQL injection, phishing, malicious attachments, social engineering. Old, every one of them.
And every one of them gets learned the hard way by the new batch of up-and-comers. It isn't like the average knowledge of us IT folk has gotten any bigger. Old, season folks leave, and new, green folks join. Also, management.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
I thought phishing was a type of social engineering?
And social engineering isn't a technical problem likely to be "fixed" - it's a continuous education of users that can never be considered done or even successful.
If you fire the dummies, they just end up at someone else's company (and you get other companies' dummies. Ain't no technical fix for stupid, son.
Fact of the matter is:
- Maintaining security is a cost
- Security breaches are not a cost
Corporate policy dictates "costs are bad", ergo there's zero incentive to fix this until it's regulated.
Have a nice day.
ya know like hollywood
Attacks such as Stuxnet, Operation Aurora or GhostNet are not what most enterprises and organizations need to be worried about
So, in other words, we just put that in the title to drum up hits.
Stuxnet had nothing to do with SQL injection, phishing, or email attachments. It may have used social engineering, or it may have been introduced by a covert human agent.
I want it and I want it NOW !! Dunno why... but I want it and I want it NOW !! GODDAMN WHERE IS THE FUCKING QUEUE !!
Anyone who would willingly give their banking info to the nigerian prince should have all of his office network passwords revoked instantly for being a moronic security threat.
I see a lot of comments about "dummies." Management needs to take a look at themselves as well. They hold the purse strings and the power of decision. In cases I have been exposed to, it's not the admins that are dropping the ball, it is the people making the decisions about things they do not appreciate or understand. Don't get me started on the overwhelming and pervasive attitude of users, "you mean I have to remember my password!?!"
all cleaned up & presented as 'god' given 'prosperity'. almost nothing of a self-serving notion will succeed until all of the surviving babies are accounted/cared for. see you there?
"Walker believed the caller was a conservative billionaire named David Koch, but it was actually a liberal blogger. The two talked for at least 20 minutes — a conversation in which the governor described several potential ways to pressure Democrats to return to the Statehouse and revealed that his supporters had considered secretly planting people in pro-union protest crowds to stir up trouble.
The call also revealed Walker's cozy relationship with two billionaire brothers who have poured millions of dollars into conservative political causes, including Walker's campaign last year.
Walker compared his stand to that taken by President Ronald Reagan when he fired the nation's air-traffic controllers during a labor dispute in 1981.
"That was the first crack in the Berlin Wall and led to the fall of the Soviets," Walker said on the recording.
The audio was posted on the Buffalo Beast, a left-leaning website in New York, and quickly went viral.
Editor Ian Murphy told The Associated Press he carried out the prank to show how candidly Koch would speak with Walker even though, according to Democrats, he refuses to return their calls.
Murphy said he arranged the call Tuesday after speaking with two Walker aides, including his chief of staff. He made the call using Skype and recorded it.
Walker spokesman Cullen Werwie confirmed that it Walker's voice on the call.
The governor said he was ratcheting up the pressure on Senate Democrats to return to the Capitol a week after they fled to block the legislation. He said he supported a move to require them to come to the Capitol to pick up their paychecks rather than have them deposited directly.
He also floated an idea to lure Democratic senators back to the Capitol for negotiations and then have the Senate quickly pass the bill while they are in talks.
Walker said aides were reviewing whether the GOP could hold a vote if Democrats were not physically in the Senate chamber but elsewhere in the building.
Democrats seized on Walker's recorded comments as evidence that the governor plans to go beyond budget cuts to crushing unions.
"This isn't about balancing the budget. This is about a political war," Rep. Jon Richards of Milwaukee yelled Wednesday on the floor of the state Assembly.
The governor's plan would strip most public employees of their collective bargaining rights and force them to pay more for their health care and retirement benefits. Unions could not collect mandatory dues and would face a vote of its members every year to stay in existence."
protecting against the same threats that they've faced for the last 10 years. SQL injection, phishing, malicious attachments, social engineering.
10 years? Those attacks have existed for as long as those technologies have existed.
See
(Google won't go further than the '90s, but you get my drift.)
I think the social engineering, phishing, and attachments could be solved, in organizations that made it a high enough priority, i.e., ahead of being nice to employees or not spending a lot of time and money on it. It breaks down into two steps. First, train everyone very well in how to recognize and avoid the threats. Second, have a dedicated tiger team continuously try to break security by sending phishing emails, emails with pseudo-malicious attachments, and trying to social engineer the employees. First time a given person screws up and breaks security, they go on the public list of screwups seen by everyone, it goes into their record and affects future promotions, and they have to attend training again. Second time, a formal warning, and more training. Third time, clean out your desk.
Not that real cracking attempts wouldn't slip through now and then; but it would certainly make the organization a much harder target.
Problem is, most organizations don't perceive it as important enough to go to these lengths. Intelligence agencies, sure (excepting the perpetually-clueless DHS); probably a lot more draconian than this. Military and FBI, too. Police? Probably not, they don't have the funding, for one thing. Corporate? Hardly ever.
As long as humans are part of the equation, security will always be weak.
What do I know, I'm just an idiot, right?
PHP is a big part of the problem. PHP's interface to SQL encourages putting in parameters without proper escaping. Python has a slightly different interface, one where there's one SQL statement with fields represented by %s, and a tuple with the values to be filled in. The values are escaped automatically. If PHP had only such an interface, most SQL injection attacks would fail.
It would help if there was simply a restriction that only one SQL statement can be submitted per call. Since all the major SQL implementations now have transactions, there's no reason to put two statements in one call any more.
Another problem with PHP is a tendency to install a large number of standard PHP scripts which shouldn't be installed at all. Look at your server logs and you'll see constant attempts by hostile sites to call common bad scripts.
Hosting "control panels" implemented in PHP are part of the problem. If you have one of those, you can't just turn off PHP, even if you're not using it. Worse, "control panels" tend to run with very high privileges, and present a large attack face.
Besides "SQL injection, phishing, malicious attachments, social engineering", what other types of realistic attacks are there?
I'm not sure how stuxnet is a proper illustration of old vulnerabilities being ignored. From what I recall of stuxnet, it is a WORM that exploits multiple zero-day vulnerabilities, at least one of which was due to security certs stolen from a hardware vendor in Asia.. Sure, best practices were ignored wherein industrial centrifuge controllers should have been physically firewalled from any devices that connect with other networks or devices.
But seriously, stuxnet isn't as good an example of a glaring security incompetence as the recent HBGary intrusion. That started with a simple SQL injection, and ended up with executive emails revealing nefarious corporate dealings by a company pretending to be a security consultant.
Here is an EXCELLENT technical dissection of the HBGary attack. Nothing spectacular involved. Just nuts-and-bolts hacking with impressive results.
Seth
$5 / month hosted VPS on linux = awesome!
Thank you, Anonymous Coward. You've helped me to figure out exactly why Linux is more secure than Windows. It isn't the operating system. It isn't the user. It isn't any application, set of applications, or combination of utilities. It's right there in your post. "average users wont start giving a damn" For the most part, Linux users are those who give a damn. The attitude - nothing more, nothing less. You've got to give a damn, or the best system is just a non-secure mess of code!
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
... if you have no goatse.cx, nor goatse.cz, nor goatse.ch, nor goatse.fr to point the SQL-injected website to?
Did you even read the summary?
They are saying that things like Stuxnet get the attention, but people are still having the most trouble with the basics, like HBGary you mentioned.
Basic security is easy. Very easy. It's just not convenient.
The problem is that people are lazy. Even if it is easy, they want it convenient for them.
And when it becomes convenient for them, it becomes convenient for the crackers.
The more convenient for your users, the more convenient for the crackers. It's linear. If your users can access your systems from anywhere in the world, so can the crackers.
As seen with the HBGary crack.
Most of the cases I've seen, of that type, have been ego issues.
They are management and YOU do NOT tell THEM what to do.
It is YOUR job to protect the network given the constraints of their requirements. If you cannot do that, well, there's another guy looking for your job who says he can.
It's derived from a prior expression: "There's no tools to fix stupid."
If you mod me down, I shall become more powerful than you could possibly imagine.
Well, I read the part that said "Stuxnet's Legacy", and then I foolishly expected some kind of legacy related to Stuxnet.
...but I think otherwise. Technology is largely (but not 100%) to blame for the security problems. Here are the reasons:
1) the usual programming language used for most desktop/system software (C or C++) has a lot of faults: unchecked array access, pointer arithmetic, arrays interchangeable with pointers, lack of non-nullable pointers, etc. This type of programming does not scale well in complexity and time.
2) the hardware, and more specifically, CPUs, do not provide a way to isolate software components within the same process, leading to an share-all-or-nothing approach. The share-nothing approach affects performance negatively, and so many software developers prefer the share-all approach, and thus a security breach in one component compromises all the other components.
3) the internet is not encrypted through out. DNS queries are raw text. Most web sites are HTTP. Without full encryption, there is no way to avoid man-in-the-middle attacks and phishing.
4) Operating systems do not provide a security model where sandboxing is the default. Normally, applications that send and receive data over a network should be run sandboxed by default.
5) Operating systems do not provide a well defined way of communication between software components with less privileges to software components with higher privileges, leaving this task to applications. Each application defines its own mechanism, which might or might not be secure.
6) The security models of operating systems do not extend beyond LANs. Over WANs, there is no security model.
7) no operating system uses capability-based security, which is one of the best ways to provide security.
8) SQL being text encourages copy and paste of the input to the SQL string, creating the Little Bobby Tables problem. Text should be internal to the API; SQL APIs should not provide the ability to write SQL text.
There are other issues as well; the above are just an example.
In the end, if a user is willing to let his machine be compromised, it will be compromised, no matter what. But I do not accept the fact that software and hardware is not to blame at all and that the software and hardware we have cannot be improved beyond what we've got now. H/W and S/W still have many design issues which are responsible for most security problems.
"No matter how much companies (and individuals) would like to pretend otherwise, security is really hard to do. It's not just a matter of having the right technology in place; people have to follow some inconvenient rules and exercise self control and common sense"
No it isn't hard: seperate executable code from data, use read-only embedded devices to run your code, never download and run code over the Internet, run a second system that impliments a full irrevocable auditing trail.
If only php had such an interface...
Oh, wait, I'm sorry, were you talking out of your uninformed ass to bag a "beginner" language that everybody here thinks that they are above and whore some karma points? Well, carry on then.
1 - So, that is why buffer overflow is in evindence on "SQL injection, phishing, malicious attachments, social engineering"... Oh, wait, the author didn't even remember it exists. Also, post that at the "PHP code is flawless" section. People need unchecked memory access and pointer arithimetics, just because you never a saw use for it doesn't mean that there isn't one.
2 - There are plenty of ways to isolate code sections within the same process. Some of them are used all the time, others, rarely. Anyway, that has no relevance in a discussion about security.
3 - Keep it complex, stupid! Also known as KICS.
4 - You want to sandbox the software from the file system, right? I asked because it is not the only option, and one of the goals of every operating system is to sandbox processes. It is just that they usualy don't sandbox the file system. Ok, you also talked about applications, that means you weren't thinking about servers (where people do that kind of sandboxes all the time). Well, most people just don't want their browsers sandboxed.
5 - Err, they do. How would an application create a communication channel with the OS? They aren't allowed to do that.
6 - Humm, no. The security model of an operating system applies to the computer where it runs. For a network you need network security.
7 - Define it. Windows uses even the same name.
8 - KICS!!! It's a way of life! Also, post that under the "Nobody can hack a binary format" and "It's secure, I used the double ROT13 algorithm" labels.
Rethinking email