Antivirus Inventor Says Security Pros Are Wasting Time 282
talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."
PBKAC (Score:5, Insightful)
The issue is usually the idiot that becomes the victim of a well done social hack.
As usual, the company is only as strong as it's weakest link.
chicken egg? (Score:5, Insightful)
Why would the hacker need to guess one password from a list of password hashes when he already broke in and was able to elevate his rights to read the password hashes file? He might was well add his own password entry.
Re:PBKAC (Score:5, Insightful)
Re:What did I gain? (Score:5, Insightful)
Re:PBKAC (Score:5, Insightful)
Who here hasn't had people tell them: "Can you help me with my computer? Here's my password..."
A sane voice is heard... (Score:5, Insightful)
Corporate mouthpiece (Score:3, Insightful)
No. If you mandate long passwords on the server, there are no short passwords. That's sort of the point.
But then, I read on in the article (yeah, I know, it's
Now, don't get me wrong, *any* protection is obviously better than none, but this is basically a surrender - instead of selling the common (wrong, but common) "I have an up-to-date anti-virus package, I am protected" perception, they're now moving towards "Hey, we did the best we could; all those *old* virus's/virii(+) are *definitely not getting through". Woo Hoo.
So perhaps I'm being overly cynical, but it seems to me like a corporate piece with quotable sound-bites (so it gets wide distribution) that tries to deliver the message "hey, we suck, but keep on buying our software", in a more acceptable-to-the-people manner...
Simon
(+) And with this, I hope to equally annoy the grammar and spelling nazis out there. [insert random deity] those people piss me off.
That efficient? (Score:4, Insightful)
Re:What did I gain? (Score:4, Insightful)
12 digit change-montly lower+upper+number+ symbol passwords written on sticky notes (or similar) for 75% of users and freely shared due to complete lack of security training
or
6 character passwords that only prohibit patters and the username from being used changed every 6 months that people know not to write down or share?
Defense In Depth (Score:5, Insightful)
Risk management is the specific practice of minimizing the greatest risks (what will do the most harm and will be the most likely to happen). And for the most part everyone realizes that no risk can be completely eliminated, so we mitigate them as best we can and rely on fundamentally sound access controls et. al. to limit the effect of any breach and hopefully know about and plan for unforeseen circumstances by planning for certain categories of attacks.
Hopefully I'm right, because if I'm not... I'm scared.
Re:chicken egg? (Score:5, Insightful)
True, but the idea is that if he's working from a SAM or shadow file written to pilfered backup tape, or got the password DB by use of a whole host of tools designed to suck out a Windows AD SAM from a server to your laptop over, say, a wifi network connection made in the parking lot or somesuch... e.g. you have the hash file, but don't have a clue as to what it contains. A lot of tools are designed to exploit holes in Windows' Active directory to get a copy of the SAM without all the bother of logging in (most required physical access to the box and a reboot, but IIRC there were some that didn't, depending on the exploit used).
In the corporate espionage type break-ins, it makes more sense to not poke around too much and break stuff as you go, but instead concentrate on finding the means by which you can return to the network with your presence all dressed up as a legit user or three. This way, you have relatively more time and leisure with which to poke around in. If you add your own account (modify a file) and give it privs, you're liable to get someone's attention (self-audits, internal file integrity sweeps such as AFICK provides, etc...). If you merely copy a file, there's less of a potential fuss.
The tangents and possibilities can go on and on, mostly because security and breaking-in can become less of a science, and more of an art form. :)
Re:What did I gain? (Score:5, Insightful)
Re:Corporate mouthpiece (Score:5, Insightful)
Maybe he's wrong, but he isn't trying to sell you any software.
Ben
Not only that. (Score:5, Insightful)
They are not the same. The defenses are not the same. There may be overlap (a workstation at a company gets infected and sends out spam vs a workstation at a company gets cracked and is used to crack other boxes at that company) but that is all.
All in all, he's 100% backwards on his comments. Just what you'd expect from someone trying to push a specific product from a specific company.
Re:PBKAC (Score:5, Insightful)
Re:What did I gain? (Score:4, Insightful)
The more common scenario that he does not mention is that people who are trying to gain access are trying to brute force a login through a network protocol. NOT running something like rainbowcrack on your password hashes. If they've gotten to that point your passwords are essentially worthless already.
BUT this is where defense-in-depth comes in. Security is NOT A PRODUCT. It is a mindset. So if your user accounts aren't all administrators and someone finally manages to brute force a network login, at the worst, that person now can do as much damage as one employee. You do have access controls on your employees, right? Not to mention, most "secure" network protocols nowadays make brute-forcing much harder. SSH, for instance, will timeout the connection after X failed login attempts. They now have to work a lot longer. The login prompt in Windows does the same thing.
So you apply this thinking to everything. Stop using a VPN. Make only the services you want available through your firewall. Do egress filtering. Use a DMZ. Prevent LAN clients from talking to any hosts other than the gateway and servers. When I started, my company originally used VPN to check email on an Exchange server. BAD! Passwords were usually the same as the username. Someone could trivially walk in and have access to the entire WAN. I pointed this out to them and got "But we're using a VPN. Checkpoint says it's secure!" If you have Exchange, take advantage of RPC-over-HTTPS, and then proxy that! There are lots of things you can do. As this guy points out, none of them are perfect, but you never know-- one of those little things might save your ass.
Re:Not totally clear .. (Score:3, Insightful)
What do you lose with a strong password policy? Good user habits. They will start writing passwords down, or reusing them, and in general starting to do thinks we know you shouldn't. The policy starts becoming a direct impediment to the users, and so they naturally do their best to work around it. You may have reduced your exposure to brute force attacks, but you've opened yourself up to social engineering, and it's not clear that you've won by doing so.
Which is why (I think) he makes the point about user education. Getting users to follow good security procedures would likely solve more problems than any possible technical solution. This in turn requires a recognition that there are certain technical solutions you simply cannot put in place if you want people to use your system in a secure fashion.
Re:PBKAC (Score:4, Insightful)
Re:What did I gain? (Score:4, Insightful)
Actually, it's a cost item that gets in the way of the money making work. That is how most people view it.
Re:PBKAC (Score:3, Insightful)
It's the "war on viruses" (and spam) (Score:2, Insightful)
I see it being more related to the medical field, prevention is great idea (and has been a popular topic lately), but treatment is just as important and not to be forgotten.
I think he's really suggesting that business practices slow down--for instance, sure it's a painful to have a 15 letter password, but I'm pretty sure using 1 15 letter password for all your 7 important accounts is more secure that 7, 5 letter passwords...
Re:PBKAC (Score:3, Insightful)
Re:PBKAC (Score:4, Insightful)
Re:A sane voice is heard... (Score:2, Insightful)
Re:What did I gain? (Score:4, Insightful)
"It is hard for the users it's going to at least be that much harder for the hacker"?
Up to a point of diminished returns, at which point it's impossible* for the legitimate user, so they cheat and defeat the whole scheme. (Witness the archetypal "I can't remember this stupid password" sticky-note-under-the-keyboard situation.)
(*"Impossible" is dependent on the user's level of apathy, forgetfulness, or hostility to the security regime.)
But if you have strong armor around you, you look like a less appealing target as to try to find the one weak scale under your wing.
That presumes an equal level of interest and intent between the "soft" target and the hardened one. If the hard target contains the more valuable goodies, well, that's just "crunchy on the outside, tender and tasty on the inside."
Also, for some in the cracking community, an apparently-hard target is an personal challenge to their 1334 hax0r skills, and quite appealing.
People are more likely to jump on an open WAN then try to break into a hidden one with at least WEP.
Again, assuming the values of the targets behind the protection schemes are equal. If all you want is free wireless, then one WAP is as good as another. If you want that WAP for a particular reason, you'll target it no matter what its apparent hardness. Every security scheme is fallible; the real value is measured in terms of effectiveness versus the value of what's protected.
It sounds more like a lot of what we put in to place is useless once they're in, but that doesn't mean to weaken our defenses.
I suspect the author is arguing that we should strengthen our defenses by implementing effective measures (non-self-defeating, like the too-complicated password example above; or "security theater" measures that sound tough and look effective but can be easily defeated by ignoring their fundamental premise, like complete isolation from the outside except for trusted partners, but then trusting those partners unreservedly--if they get pwn'd so do you)
Actually (Score:5, Insightful)
He's saying "aim for as much security as you can get" not "aim for 100% impregnable", there is no such thing. Even Open BSD isn't impregnable, despite their claims. Nothing is impregnable to a determined and resourceful attacker.
He is correct in saying, "rather than bunkering up, strive to be indigestible to AS many potential predators and parasites as you can"... i.e. he is admitting the one fact of the universe... "there is an exception to every rule, just because you haven't found it, doesn't mean it doesn't exist somewhere else, in some form.
The arrow through the roof, for those with the intellectual openness to understand the metaphor is an unlikely incident, but if it does happen, what then. Peter is using that concept, to teach those willing to learn/understand, that for a car to be 100% impregnable, it would have to be arrow, bullet, cannon, nuclear weapon, weather and everything proof, including driver and other driver error proof, road proof, etc. However, the COSTS involved, and the final results are out of reach of even the rich, would make for a rather heavy, expensive and CLUMSY vehicle, and judging by risk, the benefits would far outweigh the costs. Its like flu shots. I travel, talk, do meetings, etc. I get sick very rarely, yet I see so many immediately taking "flu vaccines" out of fear that the flu will kill them. I've never had a relative who either died of the flu or had complications. Neither have I known anyone in my personal life who had these complications, and I have associates who have lived in first, second as well as third world scenarios.
Thus, in similar vein, driver training gives better results than building the bullet proof car. Don't surf porn with internet explorer is FAR better advice than installing the latest antispyware, and "don't accept email except in plaintext format" is far better advice than trying to balance a proper load of antivirus (which the user might not allow to update, or might become broken, etc). There have been plenty of virus samples that hijacked the latest Symantec and McAfee antivirus, why? Because they tried to be everything to everyone, and when you over extend your coverage, you end up leaving holes in your defenses.
Properly trained users is like having the original Citizen Militia, not truly powerful, but if properly trained in guerilla warfare and survival, and properly equipped, they can make ANY invading army's life, VERY difficult, to the point where the invading country finds the "host" or "prey" country to be "indigestible."
Nothing is unassailable, but plenty of plants are poisonous to their consumers, so as to make it a known thing that they are indigestible. The one size fits all solution, from antivirus, to security departments, to everything else, is STILL the same age old problem. No risk can be reduced to 0%. But it can be minimized and compensated for. This is what Peter talks about.
Its disappointing, I expected that those frequenting this board would've had the ability to apply metaphors in design. Good book for all to read. The Art of War. Get it bundled with The Prince. Good way to learn how to think.
Re:PBKAC (Score:5, Insightful)
I wouldn't need to keep my password on a Post-It note if you IT guys didn't make me change it every two weeks!
Antivirus 'Inventor'? (Score:2, Insightful)
As I understand it, the first antivirus program ever to have existed (although not marketed as such at the time) was the UNIX rm command. This was followed by clones in other UNIXes, and in the popular DOS operating system in which it was invoked with del.
Used in conjunction with the killall command, it is a very powerful tool indeed. Beats Norton anyways.
Working the Analogy through... (Score:2, Insightful)
I agree with the general tenor... (Score:2, Insightful)
Even worse, some of the password rules are counter-productive. I know of a company that requires a specific special character be in their 8-charater passwords. Know it (easy enough to find), and it's functionally a 7-letter password.
There's a saying about exercise that I think applies to security: The best exercise is which ever one you will actually do. We are attempting ever more complex technical solutions to what is an increasingly human problem.
Make sure that your passwords can sync across all of your systems. Make passwords complex but easy to remember. Let's be honest, if 5 failed logins locks you out, and I've assigned you a password like "bluefish", how likely is that password to be hacked by an automated system? About zero. But since it's short, simple, memorable, and universal: I can train you to not write it down. I'm convinced that's better security.
Re:PBKAC (Score:3, Insightful)
Far more important than any security contractor, is a proper risk assessment. There's no sense in building a million-dollar lock if it's only guarding a half-eaten twinkie. You look at the cost of various types of breaches, and the cost of a security measure times it's % efficiency, and pick the cheaper of the two.
In many cases, simply restructuring the network or the data it contains can buy you much more security than any product or policy. I've lost count of the number of times I've seen networks that were sealed shut from the internet, but wide open on the inside. All it takes is a jackass employee with a Wi-Fi hub and the whole thing goes to hell. Give your users what they need and nothing more, and you'll avoid a whole bunch of problems for free.
Re:PBKAC (Score:2, Insightful)
Re:PBKAC (Score:3, Insightful)
There, fixed it for you - IT guys get pissed off with frequent demands to change their password, too.