Are the Days of Individual Security Over?

angry tapir writes "People solely relying on patching and upgrades are lulling themselves into a false sense of security, and individual protection is no longer sufficient in the age of multi-vector attacks, according to the president of the Australian Internet Industry Association. According to AIIA's Peter Coroneos, vendors need to intervene at the network level and provide security tools at multiple levels to help secure people from the variety of threats that are emerging."

Oh and by the way.....

[cpu6502]

"After you secure your network Mr. ISP, remember to filter out these websites." (hands over blacklist including playboy.com, domai.com, etc)

Re:Oh and by the way.....

[Excelcior]

Oh yeah, and don't forget www.somefringepoliticalview.com, and while we're at it, www.theopposingpoliticalparty.com, and hey, I've heard that religious teachings are bad for kids, so how about www.christianity.com and www.jewish.com....

"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." - one of the best quotes ever, from Benjamin Franklin, 1775.

Re:Oh and by the way.....

[GooberToo]

That's completely untrue despite being a common lie to justify modern alcohol taboos.

Wines were cut when served. The strength of the uncut wine was extremely dependent on the degree of delusion at the time of serving. The uncut wine was stronger than common table wines today. The cut wine was commonly stronger than your typical modern beer. Realistically, wine served then commonly had the alcohol content somewhere between modern beer and modern table wines.

Furthermore, as you can read in my post below, its believed one of the reasons Jesus was asked to create more wine is because they were not properly cutting the wine for the guests, making it extra potent.

Furthermore, it is well understood, the more drinks one had, traditionally, the less cut and therefore more potent the drink. This is because wines then had strong flavors of tar and pitch and cutting made it less offensive. But once had had become joyful, the need to cut the drink became substantially reduced. Such things don't happen, if as you suggest, intoxication is all but impossible.

There is what is commonly taught and widely believed from churches, and then there is the truth...

Re:Oh and by the way.....

[operagost]

Yeah... try searching "religious persecution" on Google some time. It's not about endangering the religions, it's about the endangerment of the believers. Or do you not care what happens to people who believe things you don't?

Re:Oh and by the way.....

[cpu6502]

>>>It was not possible to get drunk on normal Jewish wine

Abraham got drunk.
He slept with his daughters.
So I guess it IS possible to be inebriated on Biblical jewish wine.

Re:Oh and by the way.....

[FutureDomain]

You need to reread your bible. It was Abraham's nephew Lot who got drunk and slept with his daughters.

should the ISP intervene?

[crank-a-doodle]

hmmm.......

"vendors need to intervene at the network level"

Doesn't this seem like just another excuse to let networks censor material by just labeling it insecure?

More weasel words?

[TaoPhoenix]

Rule for the modern world.
1. Assume malice. Once you determine there's no malice, you can go back to your normal discussion.

"need to intervene at the network level and provide security tools at multiple levels to help secure people from the variety of threats that are emerging". That's one of the better ones lately. Ask yourself: what are these security tools capable of doing *besides* stopping viruses?

Re:More weasel words?

[andrea.sartori]

Ask yourself: what are these security tools capable of doing *besides* stopping viruses?

Exactly. And yet they can give a user a false sense of security, so I dare say "security provided by ISPs" could even be part of the problem.
Have the days of individual security ever begun by the way? People "solely relying on patching and upgrades" were always lulling themselves etc., just not for the reasons suggested by Mr Moroneos: and not necessarily for Windows only (one word: rootkits), although it heroically stands as the most exploited target. Some of the worst threats are still represented by bad password policies -- or no password policies at all -- and vulnerability to social engineering. 15 years ago it was not called that, but there were examples in the wild back then. (What I recall on the fly is ILoveYou, but I'm sure somebody less lazy than me can come out with other examples from 1995-ish.) Some people will click the wrong link, open the wrong messages, etc.: ISPs cannot correct people's behaviour, unless in the horrific ways we can all imagine (see several of the comments here.)
Or is there something in TFA I didn't get? I confess the word "cloud" repeated every other line gave me a hard time understanding what the hell he was talking about.

Re:More weasel words?

[CastrTroy]

Individual security is the only way. That is, taking individual responsibility for your own security, of your own systems. I haven't had a virus in a very long time, and it's because I don't do stupid things. A vast majority of people who have problems with security have problems because of their own incompetence, and their own misunderstanding of the situation. And that not only goes for people, but for organizations as well.

Re:More weasel words?

[mlts]

Individual security isn't rocket science either. Last virus that I had end up running uncontrolled was the WDEF virus on the Mac, pre System 7. One can do some fairly simple measures so their individual security is up to par:

1: First and foremost backups. Not RAID. True backups with media rotated out. This way, if malware nails the drives and the backup media, restoring is still possible. Backups mean what would be at best a day long install-fest (finding the OS media, installing the OS, applications, and then digging past the used condoms under the bed to find the piece of paper with the license keys for the above) into putting a recovery CD or USB flash drive in, telling it to restore, walking off for an hour or so and coming back to a restored box. It also doesn't hurt to periodically burn critical documents to CD or DVD. For critical stuff, I like having it on burned media (stored offsite -- even a climate controlled self storage is better than nothing, as Iron Mountain may be too expensive), stored encrypted (WinRAR archives or TC volumes) at a cloud provider, and present on a fileserver.

2: Some means of separating your internal machines from the Internet. In the past, I used a Linux box, NAT, and ipchains/iptables rules. These days, I just use a decent firewall/NAT box [1].

3: A method of blocking ads. AdBlock does far more to keep out unwanted crap than any antivirus. Since the largest vector for infection of PCs these days is through the Web browser, blocking out the ad servers (and most of their "wink, wink, nudge, nudge" attitude towards advertisers that use malicious add-on code) pretty much ensures a clean browsing environment.

4: Common sense. If a pr0n site requires a "codec" or "pr0n viewer" application, find a clean site.

5: Use top tier stores if at all possible for music/movies/software. If one has to pirate and doesn't know reliable sources (i.e. someone who doesn't read /.), use word of mouth with people who know their stuff for sites/programs. The answer is NOT eMule/LimeWire/etc. Nor is it "warez search engines" which demand you vote for them, then dump you to another site, all the while trying every browser based exploit possible on your setup.

6: Encrypt everything, especially laptops. TrueCrypt, BitLocker, PGP for Mac (until Lion comes out with true HDD encryption), LUKS for Linux, EFS for AIX [2], and so on. Encryption turns a theft into a "mere" hardware loss, which insurance is for. Done right, it means not having to worry about the data on the drives that were stolen. I prefer mechanisms that use hardware security (BitLocker + TPM with a PIN, TrueCrypt + a keyfile on an IronKey, PGP whole disk encryption + a cryptographic token) so brute-forcing a passphrase can't be done.

7: If traveling with a laptop, use a VPN service at Wi-Fi hotspots. This way, not just FireSheep attacks become a non-issue, but if the owner of the Wi-Fi router is sniffing packets, they won't be able to glean much, other than perhaps traffic timing analysis.

[1]: If someone says that NAT by itself is security, one has to resist laughing in their face. NAT by itself is just security through obscurity.

[2]: AIX's EFS is totally different from EFS on Windows. Same with AIX's IPSec mechanism being different from Windows's IPSec.

Re:*yawn*

[HungryHobo]

the solution?
A monoculture of course!
and telling everyone that *someone else* is handling security for them.

Ok, this is coming from Australia

[rolfwind]

So stop taking it seriously. They don't seem to have much respect for the individual in anything anymore:
http://en.wikipedia.org/wiki/Censorship_in_Australia

This just looks like another power grab.

Great Firewall v2

[Ltap]

Seems like another argument to take responsibility away from individual users. I'm sure it involves filtering domains that "may be virus vectors and may contain illegal content that the user is being protected from". Little "Great Firewalls" for each ISP? Considering that this is coming from Australia, it might be a part of yet another attempt to push for the creation of a Great Firewall at the ISP level, using "industry standards" to enforce it instead of a law that has to be approved and might be struck down.

Let's get the astroturfing out of the way

[mrclisdue]

It's early in the thread, so I'll get the astroturfing over with post-haste.

The only corporation that has any clue as to what constitutes effective security is Microsoft. Everything Microsoft does is great. The iPad isn't anywhere near as great as the yet-to-be-released tablet that Microsoft is planning.

Have I mentioned, yet, how great Microsoft is? Google is actually evil, despite what they say.

If Microsoft wasn't great, they would have 0% market share.

And even though I have a 7 year old cellphone, which I use sparingly (prepaid ftw), if I were to bother with a smartphone, it would definitely be something with Microsoft Windows Phone 7.

OK, MIcrosoft: where's my moola?

cheers,

ps - afaict, there are no ms-related products in my life, and there *probably* never will be. Slackware 13.37 RC 3.14159265358979323846264338327950288419716 ftw!

pss - I still want my money.

What a world

[erroneus]

I'm pretty sure we all know the score here. We know who the bad guys are and what they are after. We know who the vendors of the platforms being exploited are and why they aren't or can't be patched. We know why end users continue to pretend they don't know or understand what is happening or what they can do to prevent it.

I just wonder what things would have to happen to overcome all of this crap? Will there have to be a cyber 9-11 attack somewhere to wake everyone up?

The other day, a person I went to some classes with called me and told me she "got a virus... or several viruses." I invited her over and she brought her laptop with her for me to examine and clean if possible. She was afraid to turn it off. But what was refreshing to me was the fact that she did everything right.

1. She went to another computer and changed all of her on-line passwords -- banking, insurance, bill paying, email, everything.
2. She ceased all work and use of her computer immediately.
3. She was using a browser that wasn't MSIE.

What I saw what just about what I expected to see. A window that was decorated to look like a Windows window "running a scan" and reporting several infections all over her computer. Problem was, since she was using something other than MSIE, the window wasn't manipulated to hide the URL this was supposed to be coming from... showed to be somewhere in eastern europe. A dialogue box was up with two buttons -- both of which lead to downloading an EXE file. And had this been MSIE, I had no doubt that the machine would have already been compromised -- seen that too many times. And oh yeah, all of this continued to work despite that she wasn't connected to the internet at all. Fascinating stuff and kinda pretty.

Still, I booted one of my machines over to Windows, updated everything and AV signatures too. I pulled her hard drive and connected it to a USB adapter and connected it to my computer to perform a scan. After a very long time, nothing showed up leaving me 98% certain that all was well and that nothing had happened to her machine.

Still, she doesn't fully understand the technologies but she at least listened to advise to not run MSIE on the WWW and to stop using her computer and to change her passwords from a different computer. How many people do you know would do that? I don't know too many... in fact, she was the first. I had another classmate who had a similar problem and she was terrified but she KEPT USING HER COMPUTER. I was like "uh.... okay... these are the risks... it's on you now."

Motivations and desires push people to do things, often stupid things, in spite of their knowledge of the risks involved. AIDS is still alive and killing for that very reason and so is drug-pushing spam. (Though lately, I have seen a LOT less of that... actually, none... either my filters are learning way good or there is simply less of it out there and what is out there is being caught.)

In a perfect world, Microsoft would abandon its Win32 and create a new OS based on BSD like Apple did. We would still have reasons to "hate" on Microsoft and they would still find ways to screw things up I am sure, but a better OS is definitely needed for the world and if it ain't going to come from Microsoft, I find it hard to imagine where it would come from in the near future.

What he's saying

[cerberusss]

It's kinda hard to see what the conclusion of TFA is, since it doesn't really take a moment to summarize anywhere in the piece. But basically we have two people speaking. Peter Coroneos tries to say something that home routers should contain more/better security.

Then he says: "people need to ask if Cloud applications are secure and private". I don't see what that has to do with security but rather with privacy, but there you go.

Then there's TrustDefender co-founder and CEO, Ted Egan, who's trying to peddle his company product, which seems to be a piece of software not unlike a trojan, which detects other trojans.

OK, that was a waste of time.

Re:*yawn*

[Weezul]

I'm convinced this article is simply FUD meant to push the insane content filters so desired by Australia's political class. You'll notice the site's name in cio.com.au. As pointed out down thread, the article basically proposes using "industry standards" as an end run around the legal hurdles Australian's leaders have encountered while trying to copy China's "Great Firewall".

We had another recent article explaining how the NSA decided that preventing intruders was impossible, instead concluding that security needed to permeate the whole process. If they fucking NSA cannot implement a sufficiently effective firewall, well I don't trust the ISP doing it either.

I'm afraid the only real solution will be modifying the end user experience to improve security. Two recent examples : Europe's adoption of EMV "Chip & PIN" smart cards, deprecating naive & dumb credit cards still used in America. Apple's Time Machine software provides a user experience that painlessly inspires people to spend hundreds of dollars on back up drives and follow sound backup procedures.

Apple's File Vault hasn't been nearly as effective at encouraging encryption as Time Machine has been at encouraging backups, but more serious approaches might work. You'll need some form of partial disk encryption if your using say bitcoin anyways. There are similarly many way of improving virus scanners to detect possible new botnets, less obtrusive, and less resource hungry.