Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Whitelisting the Answer To the Rise In Data Breaches?

Posted by timothy on from the none-shall-pass dept.

MojoKid writes "It doesn't take a rocket scientist to figure out that cyber criminals are quickly getting more sophisticated than current security, intrusion detection and prevention technology can defend against. And you have to wonder if the computer security industry as a whole is willing to take the disruptive measures required to address the issue head-on. One way to tackle the surging data breach epidemic is with a technology called "whitelisting." It's not going to sound too sexy to the average end user and frankly, even CIOs may find it unfashionable but in short, whitelisting is a method of locking-down a machine such that only trusted executables, DLLs and other necessary system and application components are allowed to run – everything else is denied. A few start-up security companies are beginning to appear in this space. The idea is to start with a known, clean system installation and then lock it down in that state so absolutely nothing can be changed. If you follow system security, regardless of your opinion on the concept of whitelisting, it's pretty clear the traditional conventions of AV, anti-malware, intrusion detection and prevention are no longer working."

26 of 195 comments (clear)

  1. "whitelisting" by Anonymous Coward · · Score: 5, Funny

    Yes, yes, tell me more about this novel concept, I have never heard of the term before

    1. Re: "whitelisting" by Anonymous Coward · · Score: 5, Funny

      Man, I wish there were appstores for whitelisted software!

    2. Re:"whitelisting" by Z00L00K · · Score: 4, Insightful

      Most data breaches have occurred within a company, and the only way around it is to segment the networks and servers so that only select computers have access to financial data, others have access to HR data and yet others have access to strategic documents. Then it depends on company type if yet more segments are needed. In most cases the software development can go in one segment - the majority of the software developed is bread&butter. But in other cases special projects may need their own segment. Also make sure that all printers have their own sub-segment of each segment to make sure that any printer that has been hacked isn't going to have access to all the data, just the print data.

      Of course - this goes against the strategy of installing everything in one huge server running virtual servers.

      Whenever there is a need to exchange data it has to require manual action between individuals in both segments.

      And for browsing the internet - run a sandbox solution to isolate any browsing from the remaining network. It may mean that the web browser is on a special server. If that server is contaminated it's not a big problem to rebuild it.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    3. Re:"whitelisting" by anubi · · Score: 5, Insightful

      A LOT of us are doing a form of whitelisting for exactly the same reason.

      How many of us are running programs similar to NOSCRIPT mostly because of hostile code and inattentive webmasters unwittingly distributing malicious code wrapped in advertisements?

      I learned about NOSCRIPT right here on Slashdot ( Thanks, guys!!! ) in response to one of my posts where I was whining ( loudly ) about not being to be on the net for more than a few hours before I had to reboot Windows to try to get my system back.

      There is a lot of nasty stuff out there, and it seems most of it comes riding in on scripting or coaxing me to run their attachment. Often I have seen them try to piggyback on the trust I have for a business - a business that places that trust at risk if the business insists I enable javascript for his site, then the bad guy uses that coercion of the business model to his own advantage.

      I think that is what a lot of the clamor here has been all about. We see wealthy investor type men taking control from the techie base and may force us to "drop our defenses" in order to communicate, and we are collectively screaming "NO" as loud as we can to the deaf ears of the businessman.

      I think we have all seen the suit people take down a business, and we don't want it happening here.

      --
      "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]

  2. Licensing and Cert Costs by Anonymous Coward · · Score: 3, Interesting

    It's too expensive. If you operate in a Windows environment then you have to use Windows Enterprise to access the functionality (which is expensive) and since code-signing certs are expensive not many devs (including driver devs) use them, meaning, you have to go back to file hashes for individual versions for files that aren't signed. We use these mechanism at my work for high risk workstations and the workload of maintaining them is quite tedious. We just aren't there yet as an industry.

  3. Seriously? by gman003 · · Score: 4, Insightful

    Why the flying fuck does anybody think Slashdot readers need to have "whitelisting" defined for them, let alone think they can pass it off as a "new technology"? Did Dice start putting those retarded SlashBI articles in main Slashdot now?

    1. Re:Seriously? by Anonymous Coward · · Score: 4, Funny

      As a manager these definitions really help me out. Could you tell me if these 'whitelistings' are webscale?

      ps I really like the new slashdot beta site!

    2. Re:Seriously? by TheReaperD · · Score: 4, Insightful

      Though most, if not all of us, know what whitelisting is, I do prefer they explain it rather than assuming we know it. I've ran across too many articles in the past that assumed I knew some piece of information when I didn't. Sure, I can look it up but, that's annoying when your just trying to read "news." Though this is a site for "nerds", that is a broad term. There's computer nerds, science nerds, comic nerds, etc. Now, the passing it off as new... I've got nothing; that's just lame.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    3. Re:Seriously? by Anonymous Coward · · Score: 5, Insightful

      Uh, yeah. The sort of dumbfuck managers who might conceivably read slashbi are the exact audience the beta design (fuck beta, BTW) is meant to appeal to.

      The big idea, though unspoken, is clear: to keep the slashdot name, but shift in both content and presentation from a discussion site seeded with news for nerds to a straight-up news site (with discussion as an afterthought) for PHBs. SlashBI doesn't work because that name is not (and has never been) perceived to carry an aura of technical knowledge -- but PHBs have been hearing about this slashdot thing for a decade now. Rolling out a PHB-friendly site under the "slashdot" brand will help PHBs play one of their favorite games, namely indulging in the fantasy of deep technical knowledge without the inconvenience of learning -- and that means Dice makes big bucks placing ads in front of this "decision maker"-heavy audience. (This new audience is not only worth more to advertisers, they're also substantially less likely to use ad blockers than the old /. community.)

    4. Re:Seriously? by Arrogant-Bastard · · Score: 4, Insightful

      The inferior people at Dice -- you know, the same ones trying to shove their shitty Beta site down our throats -- are actually not clueful enough to realize that this is a very old idea. Whitelisting OS resources, applications, networks, IP addresses, etc. has long been an effective security measure, and I've deployed everywhere I've been for the past 15 years or so.

      It appears that the Dicedroids think everyone is as stupid and clueless as they are.

  4. Already Possible by EmperorArthur · · Score: 5, Interesting

    Newer versions of Linux can already do this. Using the integrity measurement architecture, module signing, and Secure Boot it's possible to have a system where almost any change is detected. I'm currently trying to get it all working on my machine right now, but it's slow going. Here's hoping that distros start shipping with this set up by default. http://lwn.net/Articles/488906...

    A shorter term security measure that more users/Distributions should take is making the root partition read only. I know Android already does this, but it really does help. Something that I would really like to see is an easy to use per application firewall. Cgroups mean that I don't even have to worry about it just spawning a child process. Yes, I want to play this game in wine. No, I don't want it to access the internet. No, wine refuses to run it as a different user, much less one with lower privileges.

    --
    So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
  5. NetBSD can do this already by Anonymous Coward · · Score: 5, Informative

    http://netbsd.org/docs/guide/en/chap-veriexec.html
    Veriexec is NetBSD's file integrity subsystem. It's kernel based, hence can provide some protection even in the case of a root compromise.Veriexec works by loading a specification file, also called the signatures file, to the kernel. This file contains information about files Veriexec should monitor, as well as their digital fingerprint (along with the hashing algorithm used to produce this fingerprint).

  6. Please read before modding down. by Anonymous Coward · · Score: 4, Informative

    What company directs 25% of its users to a partially-working, not-ready-for-production website? Please realize that Beta will not have the features that we want, because it goes against Dice's plans for Slashdot. To their advertisers, Dice presents Slashdot as a "Social Media for B2B Technology" platform. B2B - that's the reason Beta looks like a generic wordpress-based news site. A large precentage of the current userbase might be in IT, but /. is most certainly not a B2B site.

    Nevertheless, Dice is desperate to make money off of Slashdot, since it has not lived up to their financial expectations, a fact that they have revealed in a press release detailing their performance in 2013:

    Slashdot Media was acquired to provide content and services that are important to technology professionals in their everyday work lives and to leverage that reach into the global technology community benefiting user engagement on the Dice.com site. The expected benefits have started to be realized at Dice.com. However, advertising revenue has declined over the past year and there is no improvement expected in the future financial performance of Slashdot Media's underlying advertising business. Therefore, $7.2 million of intangible assets and $6.3 million of goodwill related to Slashdot Media were reduced to zero.

    Beta is not a cosmetic change. It is a new design that deliberately ruins the one thing that makes /. what it is today -- the commenting system. There is nothing wrong with Slashdot, from the users' perspective, that demands breaking its foundations. As others have commented, this is an attempt to monetize /. at any any cost, and its users be damned. Dice views its users, the ones who create the site, as a passive audience. As such, it is interchangeable with its intended B2B crowd. We, the current users of Slashdot, are an obstacle in Dice's way.

    That is why they ignore the detailed feedback they have received in the months since they first revealed Beta. That is also why they now disregard our grievances. Their claims of hearing us are a deliberate snow job. It is only pretense, since at the same time they openly admit that Classic will be cancelled soon:

    "Most importantly, we want you to know that Classic Slashdot isn't going away until we're confident that the new site is ready.

    Don't hold your breath waiting for Dice to fix Beta. Their vision of Slashdot is a crippled shadow of the site as it is today. Don't let them pull the wool over your eyes. Dice doesn't need us, and it wants us out.

    Slashdice delenda est!

  7. Re:Do it in ROM by TheReaperD · · Score: 3, Insightful

    Sadly, the worst problem for system security is humans. If you required the flipping of a physical switch then malware would simply tell the user to flip the switch to see your choice of free porn, music, movies, games, etc. and the human will flip the switch (or any other method that requires human action). Humans are stupid... sad but, true.

    --
    "Be particularly skeptical when presented with evidence confirming what you already believe." -
  8. old idea by Tom · · Score: 3, Insightful

    The idea is one of the oldest in IT security.

    And it works really, really well.

    And it is a PITA to administrate if you have a system that changes, as lots of systems do. For your regular service server, much less a desktop system, where new releases require new libraries, system updates are regular and new application required every now and then, it is almost impossible to actually do it.

    On a locked-down system that needs to do one thing, but do that thing reliably and securely, it's a fantastic security measure that will eliminate about half of your security headaches right there.

    It's the same idea as SELinux, just on a different level, and it shares many of the disadvantages, namely that it makes policy management into a full-time job.

    --
    Assorted stuff I do sometimes: Lemuria.org
  9. Re:Better idea by Tom · · Score: 3, Interesting

    Because their productivity will higher with a computer, even a restricted one, than pen-and-paper. And if you are talking typical office workers, you would be surprised how few applications they actually need. Most of the office workers in the world spend 99% of their time in

    • an office suite
    • a mail program
    • a browser
    • a single-digit number of job-specific applications (e.g. the accounting software)
    • and maybe a single-digit number of company-specific applications (e.g. the time registration app or the intra-company chat software, etc.)
    --
    Assorted stuff I do sometimes: Lemuria.org
  10. Re:Trusted program, untrusted use by Tom · · Score: 4, Informative

    All good security is layered. This is one part of a complete security model, the part that prevents the hacker from uploading and using his own tools.

    Of course, you also need other parts. For example, runtime-patching is a reality, so unless you have additional protections in place to prevent it, there are plenty of ways that a hacker can still execute arbitrary code including entire programs.

    But the primary protection this offers is to finally solve the exe-cloaked-as-jpeg-or-zip-in-a-scam-email-that-users-click-to-open problem that Mickeysoft should've solved 10 years ago by simply fucking removing that idiocity from Outlook one day after it went live and people realized how trivial it is to abuse.

    Basically, the primary beneft of this will be that it prevents unintentional execution of code. It doesn't stop a dedicated attacker who already has root access, at least not by itself.

    --
    Assorted stuff I do sometimes: Lemuria.org
  11. Re:Do it in ROM by Tom · · Score: 3, Insightful

    I would like to see the filesystem of an OS partitioned into several levels: read-only disk drives where stuff never changes unless an update occurs (kernel, device drivers, configuration files), read-write disks where log files are update by the minute, hour or day, and local/user partition which is updated by the user.

    You mean the way that almost every installation guide for every Unix system ever recommends you do it, and almost nobody ever does?

    --
    Assorted stuff I do sometimes: Lemuria.org
  12. We're adopting this at work... by Dr_Barnowl · · Score: 5, Insightful

    While I admit that as a programmer I will inevitably have a skewed point of view, I view it as ill-advised.

    A computer is useful primarily because it is NOT a special purpose tool, but a general purpose one.

    Whitelisting cripples your computer. If you can't run software without it being on a whitelist, you can't even write a shell script, or a VBA macro. Your computer stops being useful as a general purpose tool - only the software that has been approved remains useful.

    Yes, I get that most users are numpties and probably do need to be kept from hurting themselves. But this kind of policy cuts down the tall poppies - the ones who actually can make their computer work for them, instead of just working at their computer, and removes the possibility that any more will arise - no-one will voluntarily seek the rights they need to approve of their own software, because they'll be singled out as potential hackers and troublemakers, and any data breaches that do occur will be attributed to them.

    As applied within our organization, it's also soul-crushingly annoying to programmers. We'll have the rights to approve of any software we want to run, but we have to click through an approval dialog for each... new..... file... which of course, means that every time we rebuild our code we face a clickfest just to debug it, or run unit tests on it, etc.... most of us have shied away from being "upgraded" to Windows 7 because of this. Several of us just wish we could change to Linux, being Java programmers.

    Indeed, many of our internal teams are also getting the self-approval rights, which just trains them to click "Approve" and you're all the way back to UAC again, no extra security, just extra hassle, reduced performance of the computer (which is now hashing every file you access on the drive to see if it's on the whitelist), and more money diverted into the coffers of the kind of company that sponsored this story in the first place.

  13. reddit how-to by Requiem18th · · Score: 3, Informative

    Reddit has a text-based, list-oritented design the way we want it. It suffers from a lack of article summaries though.

    How to cuztomize reddit to replace slashdot:

    Step 1: Singup on reddit.
    Step 2: Visit these subreddits and click the "subscribe" button in each one of them:
    http://www.reddit.com/r/games
    http://www.reddit.com/r/gaming
    http://www.reddit.com/r/pcgami...
    http://www.reddit.com/r/privac...
    http://www.reddit.com/r/politi...
    http://www.reddit.com/r/openso...
    http://www.reddit.com/r/techno...
    http://www.reddit.com/r/law
    http://www.reddit.com/r/space
    http://www.reddit.com/r/scienc...
    http://www.reddit.com/r/govern...
    http://www.reddit.com/r/securi...
    http://www.reddit.com/r/biotec...
    http://www.reddit.com/r/censor...

    Step 3: Go to your user profile and look for your personalized RSS feed, (should be in https://ssl.reddit.com/prefs/f...) it will give you a digest of the best stories accross all your subscriptions.

    --
    But... the future refused to change.
  14. Re:Do it in ROM by donaldm · · Score: 4, Interesting

    You should always set-up your file-systems in such a way that the OS part is completely separate from user data such that it should be a simple matter to recover or even install and update just the system file-systems. Unix and now Linux has always recommenced this type of layout although you can even do something like this for Microsoft Windows.

    I have Fedora 20 running on my PC's and I make sure I document my system layout, application requirements, customisations and of course my security files which I save. If on the off my system gets compromised I can easily 1) Do a system recovery or 2) Do a fresh install and update without compromising my /home or archive data.

    The fresh install takes me approximately 1 hour then 15 minutes for customisations then about 1 hour for the update although during this time I can fully use the machine. It must be noted that a recovery from backup would most likely take me about 20 minutes for 10 GB to be recovered (over 2000 packages), however if you have been compromised it is usually safer to do a fresh install.

    It is possible to have a read-only system file-system for a Unix/Linux but this would be a stupid idea since you have /var which contain logs and update information that is required to be read/write. Even / (/ and /usr) needs read/write on occasion. The same is true for a Microsoft OS. The best you can do is have a tested disaster recovery plan and surprisingly it need not be that elaborate but you do need to cover most what if's.

    --
    There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
  15. Re:Trusted program, untrusted use by hairyfeet · · Score: 3, Interesting

    Oh please do you REALLY think that is the cause of Windows infections?

    I got news for ya pal, I fix the systems that get pwned 6 days a week and I can tell ya that hasn't been even a major, much less main, source of infections since 2004 or so. How do Windows systems get infected? The same way this page shows you how to infect a Linux system in just 5 steps through good old fashioned social engineering. Here are the top sources of infections I see at the shop, I see these constantly..

    1.- "You want to see teh hot lesbos? Just run 'Iz_Not_Viruz_Iz_Codex' to see teh hot lesbos today!" 2.- Hi, this is your (insert name of person they know whose system has been pwned) and I found something really cool! Just click this link (which goes to a page full of drive bys) to check it out!" 3.-ZOMFG u got teh viruz! Just run 'Iz_Not_Viruz_Iz_Cleanerz' to get rid of it ZOMFG!" 4.- "You are teh winrar of our contest! Just give us all your info on this page (so we can pull an ID theft while infecting you with drivebys) so you can get your prize u lucky dog!"

    These work on ANY system because they target the weakest point, THE USER. As a matter of fact I've been seeing a sharp rise in infected Android smartphones and ID thefts from that last one. It seems that folks just can't equate one system to another so all those scams that haven't worked on a PC in a decade? Work great on a smartphone. Its endless September all over again. BTW please note that in NONE of those, nor in the Linux example does the OS matter because the weak spot hasn't been the OS in ages, the easy target has been and always will be the users.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  16. No. by gweihir · · Score: 4, Insightful

    As usual with this type of headline, this is not a solution. In fact, it is not a solution at all. Just think of the most common way to compromise an executable: Buffer overflow. In that case, code is put somewhere in the memory area of the running process and then the process is coerced to execute it. This means the attack code runs in the context of the already running process afterwards and white-listing has zero impact. The only effect it has is that it gets harder for the attacker to start additional processes.

    As for code-injection attacks, these are usually done with interpreted code, and white-listing does not even apply to that.

    This is another technology that at best makes it harder for script-kiddies to break into a system, but has basically no impact on competent attackers.

    Incidentally, techniques like SELinux allow far more than a simplistic "white-listing", and have done so for quite a while.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  17. Re:SLASHCOTT by Jaruzel · · Score: 3, Insightful

    I'm SO sick of this 'Fuck Beta' crap.

    YOU the /. community are one of most technically-able groups of users on the internet. Therefore, instead of whining about a FREE service that you no longer enjoy, why not group together and build something better? If it's better than /. (not hard...) then your user base will come. A handful of you could throw up a simple blogging system in a few hours, whilst you work on something permanent...

    So instead of bitching about it to corporate owners who do not care, get off your arses and build something better.

    http://altslashdot.org/ seems to be offline at the time of writing - a good effort but when I did look at it yesterday it seems to be 90% ideas, and sod all development. The best sites on the net, didn't spring into life fully formed, they evolved. The important thing is to just get something up and working as fast as possible.

    (Why am I not joining the effort? I'm a Windows guy, my linux foo is simply not good enough else I would.)

    -Jar

    --
    Together, We Can Make Slashdot Better. I Do NOT Mod ACs. - Check Me Out
  18. Re:Trusted program, untrusted use by Tom · · Score: 4, Insightful

    Oh please do you REALLY think that is the cause of Windows infections?

    Your reply was misplaced by the comment system, it seems, because it doesn't seem to refer to anything I actually said.

    The social engineering angle is how you get users to execute crap they got sent by mail. The (old) idea under discussion here is a system that would make that execution impossible, even if you get the user to click the link.

    That said, the user is not the weakest link. That's a cop-out by IT people who don't want to look beyond technical solutions into cognitive sciences, for example. There's been a bit of research into these areas in the past 10 or so years, but the conferences on the topic are still very small and mostly academic.

    There's quite a lot you can do to prevent or at least make these kinds of attacks more difficult. But most of it is outside the techie comfort zone, and it means actually having to talk to users and understand them instead of labeling them "lusers" and stuff.

    --
    Assorted stuff I do sometimes: Lemuria.org
  19. Re:Hash by Predius · · Score: 3, Informative

    Exactly. Windows has a means of doing this built in from at least XP, but no app provided to automate it's management. You can setup the system so it will only execute binaries with approved hashes. Back around 2002/2003 we were playing with a program in house that would build a baseline of approved hashes on a clean system, then push that list out to our workstations. To get an app approved we would then fire up the clean box, install, update, push, etc. We never got it past the budget phase though, but it accomplishes exactly what OP is asking about. For point of sales terminals, etc that shouldn't be a moving target I'd say heck yes they should be in whitelist only mode.