NYT Magazine Says No Network Is Secure

bw writes "The NYTimes magazine explains why there is no such thing as a secure network. Along the way, it compares the attacks of script kiddies to a million monkeys firing catapults at random -- some attacks are bound to succeed. Also, Eugene Spafford thinks that after Y2K suits dwindle away, hungry lawyers will start looking at how the promiscuous connectivity of modern office apps can have dangerous side effects (think Melissa with a payload). " A truly excellent article! It's quite long, but worth the reading time, and if you don't have a (free) NYT login yet, this is the time to get it.

Too much security is a security flaw

[sjames]

An important point made in the article is that overly paranoid security causes users to bypass ALL of the security. If you make users accept new randomly generated passwords each week, they will write them down. If you allow your audit procedures to take years, they will quietly install unapproved soft/hardware.

The two most ignored aspects of security are determining what level of security is actually required in the first place, and minimizing the burden of the security on being productive.

Of course, even when that's all taken care of, there will still be cases where truly paranoid security actually IS called for. At that point, the problem becomes one of employee education, and an HR issue. You can't have a secure system if your employees won't respect that security need, or if they are black hats. Especially in the latter case, security flaws are not the system admin's fault.

Very Balanced Article

[El+Volio]

This was an outstanding article for the mainstream press that covered a number of key security issues that are fairly subtle to those who do not work in security (it even gets the "cracker"/"hacker" dichotomy right).

It also makes an interesting point, one that I've had to deal with for a long time, and most security folks have as well: One of the difficulties in securing information is that these measures many times make life difficult for the users, and when those users are technically skilled themselves, life gets that much more difficult.

The problem lies at the very essence of security. A secure system restricts the flow of information contained within it, but this is counterproductive to what users are trying to accomplish. Unfortunately for the users, sometimes it's more important to have secure information than ease of use. And as long as malicious individuals exist, this will be a "necessary evil".

insecure home DSL and VPNs.

[asianflu]

I have a test page that invites people to queue up their beloved home PC to get checked from "outside", and to have a few pings of death thrown at them. (www.dslreports.com/r3/dsl/secureme).

You wouldnt believe what I find.. or maybe you would. many PCs have readable netbios usernames, back orifice was found twice out of 100 machines. Cisco 675 home DSL router/modems with NO password and NO enable password, open shares with guest logins, socks servers, firewalls with web configuration ports visible on the wrong side (my side), web servers meant for internal use with convenient displays of the internal network on them, visible from outside.
And of course machines that blue screen after they get pinged with one of the many packets that cause Bills code to scribble where it shouldnt, but cant blame people for that.
The current incidents reported of breakins to home PCs on fulltime net access, also in the NY times, (with a Linux box partially comprised through imapd I believe), could be reduced with some very basic external checking... Something ISPs should provide as a free service.
Right now it would be trivial to construct with a bit of perl and a bad attitude, a sweeper that found enough PCs on DSL or cable to get straight to the top of the seti@home charts, or launch an attack against something harder, all from the bedrooms of guys who uses there PC to balance his checkbook.

The far worse risk here:.. imagine somebody has VPN to their super secure office network, and its via internet DSL, and they are lax in security. How long before somebody writes a VPN scanner that finds insecure fulltime connected PCs and gets onto them to see if there is a VPN to a corporation that can be snooped/cracked/hijacked/watched. Companies think an end-to-end encrypted VPN is secure, but they dont think enough that the end of their tunnel is managed by an employee with little knowledge on security, and on a windows PC with a config that is by default insecure.

-Justin