Forgot your password?
typodupeerror
Security IT

Antivirus Inventor Says Security Pros Are Wasting Time 282

Posted by Zonk
from the think-outside-the-para-digum dept.
talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."
This discussion has been archived. No new comments can be posted.

Antivirus Inventor Says Security Pros Are Wasting Time

Comments Filter:
  • PBKAC (Score:5, Insightful)

    by DigitalisAkujin (846133) on Thursday February 07, 2008 @01:08PM (#22335566) Homepage
    Software / Hardware security is not too difficult to achieve. If an admin is truly competent they will have no problem getting their lab workstations up and running cleanly and bug free with pretty solid security.

    The issue is usually the idiot that becomes the victim of a well done social hack.

    As usual, the company is only as strong as it's weakest link.
    • Re:PBKAC (Score:5, Insightful)

      by GiovanniZero (1006365) on Thursday February 07, 2008 @01:11PM (#22335612) Homepage Journal
      Agreed, the problem is usually the user. I recently got an email from someone that CCd everyone and when I told him in the future to BCC us he said "oh its ok, I trust everyone on the list not to spam us" I replied "that's great but do you trust them all to keep their machine's clean and free from spyware?"
    • Re:PBKAC (Score:5, Insightful)

      by boristdog (133725) on Thursday February 07, 2008 @01:13PM (#22335658)
      Social Hacking is the main weakness of any system. And most of the time you don't even have to "hack" if you are perceived as "computer literate"

      Who here hasn't had people tell them: "Can you help me with my computer? Here's my password..."
      • Re: (Score:2, Funny)

        by Anonymous Coward

        Who here hasn't had people tell them: "Can you help me with my computer? Here's my password..."
        [Posted anonymously for obvious reasons] Heck I work for a (non-computer) Fortune 500 company and when we did systemwide hardware upgrade swaps, they had everyone send their passwords in clear text email to the support desk mailing list!
      • Re:PBKAC (Score:5, Interesting)

        by eln (21727) on Thursday February 07, 2008 @01:29PM (#22335958) Homepage
        I scrupulously avoid knowing anyone's password. If they try to give it to me, I attempt to stop them from doing so before they can. Basically, if someone gives you their password, and something later happens to their account, you automatically become a suspect. If someone does give me their password, I'll often have them change it right then, as in I'll bring up the change password dialog of whatever program it is, and then turn my back while they type in a new password. That way, not only do I not know their password, but they know that I don't know it, and hopefully they get a better sense that passwords shouldn't be shared.

        Of course, then I see the same person with their password on a Post-It on their monitor, and all hope of them ever learning the lesson is dashed.

        • Re:PBKAC (Score:4, Insightful)

          by somersault (912633) on Thursday February 07, 2008 @01:41PM (#22336160) Homepage Journal
          Same. Everyone seems to think I know their password already but I try to tell them that I don't even *need* their password. Also a lot of users don't seem to get the whole 'network' thing and think that you need the normal user's username and password to be able to access a computer. And sometimes when people leave the company then others still use the account of the person that has left without letting me know, so when I remove the account I get questions on why they can't access the account anymore. *sigh* Thankfully they are learning, slowly, but I find it so hard to get into the mindset of those users that I'm never going to be able to anticipate all the moronic things they're likely to do..
        • Re:PBKAC (Score:5, Insightful)

          by Anonymous Coward on Thursday February 07, 2008 @02:20PM (#22336852)
          Of course, then I see the same person with their password on a Post-It on their monitor, and all hope of them ever learning the lesson is dashed.

          I wouldn't need to keep my password on a Post-It note if you IT guys didn't make me change it every two weeks!

          • Re: (Score:3, Interesting)

            by Stray7Xi (698337)
            My passwords were much stronger before they implemented something like this.

            I used to have computerized randomized alphanumeric 10 digit passwords.

            Now since I have to learn the password quickly and it won't last long, I have to have some pattern. Sure I now have symbols (because I'm forced to) but it's now vulnerable to dictionary attack. 22!!SOmeword (followed by ##NEwword11) is much more vulnerable then 92cT6Ars1b
          • Re: (Score:3, Insightful)

            by ozbird (127571)
            I wouldn't need to keep my password on a Post-It note if you IT security guys didn't make me change it every two weeks!

            There, fixed it for you - IT guys get pissed off with frequent demands to change their password, too.
        • Re: (Score:3, Interesting)

          by Speare (84249)

          I scrupulously avoid knowing anyone's password. If they try to give it to me, I attempt to stop them from doing so before they can.

          What's interesting is that very little kids are having to be trained in this philosophy as well. Kids and daycare staff sometimes use a password in case there's an unforeseen pickup snafu. Now toy codes and login information (like WebKinz) can have big consequences if they're leaked. I felt good when my daughter tried to explain your point to her friend-- she didn't want to know her friend's login.

    • Re:PBKAC (Score:4, Interesting)

      by rickb928 (945187) on Thursday February 07, 2008 @02:28PM (#22337020) Homepage Journal
      "If an admin is truly competent they will have no problem getting their lab workstations up and running cleanly and bug free with pretty solid security"

      That's not the goal. Security's goal is to get PRODUCTION workstations up and running cleanly and bug free with pretty solid security.

      The lab is easy. Let a few users have those machines for a week, visiting the casino sites, clicking on the latest e-greeting, and bringing the USB drive from home with those oh-so-important documents they were working on last night, right after their kids updated all the myspace pages.

      Security is, indeed, fairly easy save for two variables. Users and attackers. As an analogy, you can put any sort of locks, grates, fences, alarms, dogs, and flaming trenches around your house. If the kids let in the cable guy without seeing some ID, none of it matters. If all the crook wanted was to steal your mailbox, you'll have to weigh the advantages of fencing it in vs. having mail delivered, or hardening it into a 1/4" plate steel box on a 4x6 I-beam, mounted into a 500-pound footing. Or just replace the damned mailbox when the kiddies bash it with a baseball bat driving by.

      Oh, and the plate-steel mailbox? In rural Maine, those are a laugh a minute. Sometimes you see splinters on it, shards of a Louisville Slugger in the ditch, and a brief note in the local fishwrap about some kid at the ER with a broken wrist. Priceless. If only we could do the same thing to the script kiddies...

  • chicken egg? (Score:5, Insightful)

    by El_Muerte_TDS (592157) <<elmuerte> <at> <drunksnipers.com>> on Thursday February 07, 2008 @01:09PM (#22335586) Homepage

    If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network

    Why would the hacker need to guess one password from a list of password hashes when he already broke in and was able to elevate his rights to read the password hashes file? He might was well add his own password entry.
    • Re: (Score:3, Informative)

      by somersault (912633)
      Can't everyone read the password hashes file? On Linux at least. You aren't protecting the file, you're protecting the keys that were used to generate the hashes in the file. Biiiiig difference between read and write access to a password file.
      • by gnick (1211984)

        Can't everyone read the password hashes file? On Linux at least.
        No. That was true 15 years ago, but things like .shadow files have made things much trickier for the average user.
      • Re: (Score:2, Informative)

        by ealex292 (758889)

        No. The /etc/passwd file does not actually contain passwords, despite the name. It used to (hence the name), but hasn't in a while, since letting people read the hashes lets people brute force breaking the passwords a lot more easily (basically, hash every word in the dictionary, save it in a file, and compare those hashes against the one in the password file --- though this is less effective if salting [wikipedia.org] is used).

        From my password file:

        alex@ephesus ~ $ cat /etc/passwd
        root:x:0:0:root:/root:/bin/bash
        [...]

        • by swillden (191260) <shawn-ds@willden.org> on Thursday February 07, 2008 @01:39PM (#22336124) Homepage Journal

          From my password file:

          alex@ephesus ~ $ cat /etc/passwd
          root:x:0:0:root:/root:/bin/bash
          [...]

          That "x" after the first colon indicates that the password is stored elsewhere --- in /etc/shadow, which is not world-readable:

          alex@ephesus ~ $ ll /etc/shadow
          -rw-r----- 1 root shadow 896 2008-02-03 21:18 /etc/shadow

          So what does the corresponding entry in the shadow file look like?

          • Re: (Score:3, Informative)

            by DaleGlass (1068434)
            Sure, you can see mine if you want:

            root:!:13916:0:99999:7:::


            If you manage to crack that, try it at 127.249.17.156
      • by Vellmont (569020)

        Can't everyone read the password hashes file? On Linux at least.

        Absolutely not. Shadow password files became common on Linux 12-15 years ago, and other Unix variants around the same time. Only root is allowed to see the hash. If you have root privs, seeing the password hash wouldn't gain you much.
    • Re:chicken egg? (Score:5, Insightful)

      by Penguinisto (415985) on Thursday February 07, 2008 @01:24PM (#22335872) Journal

      He might was well add his own password entry.

      True, but the idea is that if he's working from a SAM or shadow file written to pilfered backup tape, or got the password DB by use of a whole host of tools designed to suck out a Windows AD SAM from a server to your laptop over, say, a wifi network connection made in the parking lot or somesuch... e.g. you have the hash file, but don't have a clue as to what it contains. A lot of tools are designed to exploit holes in Windows' Active directory to get a copy of the SAM without all the bother of logging in (most required physical access to the box and a reboot, but IIRC there were some that didn't, depending on the exploit used).

      In the corporate espionage type break-ins, it makes more sense to not poke around too much and break stuff as you go, but instead concentrate on finding the means by which you can return to the network with your presence all dressed up as a legit user or three. This way, you have relatively more time and leisure with which to poke around in. If you add your own account (modify a file) and give it privs, you're liable to get someone's attention (self-audits, internal file integrity sweeps such as AFICK provides, etc...). If you merely copy a file, there's less of a potential fuss.

      The tangents and possibilities can go on and on, mostly because security and breaking-in can become less of a science, and more of an art form. :)

      /P (who sees bits and pieces of it from time to time)

    • Re: (Score:2, Informative)

      by crowemojo (841007)
      You are proving his point!

      By the time an attacker has the hashes, the game is essentially over! Do you think a 10 character password is really going to be that much weaker then a 14 character password in the situation where an attacker does *not* have hashes? (And simple controls such as account lockout features are enabled?)

      I think Tippet would prefer passwords to be only complicated enough that they aren't susceptible to brute forcing when account lockout features are in place. His point is that anythin
  • by Jennifer York (1021509) on Thursday February 07, 2008 @01:14PM (#22335668) Homepage
    I've had enough of the Security Vendors and their rhetoric. I'm constantly bombarded with requests to attend sales presentations on the latest intrusion detection pizza box appliance, or spam firewall thingy, etc. The value of these products are only so that the execs can point to their "security initiatives" and "best practices" when a breach of security is discovered. If they look like they've made an effort to curtail the risk, then they still get their big bonus.
    • Couldn't have said it better myself, which is one of the reasons I left my last job where I was the lead security analyst.
    • Re: (Score:2, Insightful)

      by ssummer (533461)
      Unfortunately that kind of thinking which you condemn is present in just about every facet of industry and society. It's called CYA (Cover Your Ass). Its why we have to take off our shoes at the airport, its why doctors order unnecessary tests, its why millions of tons of "expired" food is destroyed every year, its what runs the Legislative and Executive branches, its why we are still in Afghanistan and Iraq, its...
    • The problem I see with the entire "computer security" issue is that there are lucrative jobs and big money to be had, hawking it to people.

      The best examples I can think of of genuinely valid and useful security practices all involve things that don't cost much, if anything. (EG. TrueCrypt 5.0 is free software, yet you can encrypt a whole notebook computer's drive with boot-time password protection with it. This adds an obvious and practical layer of security. Configuring a proxy server to disallow downl
  • by Space cowboy (13680) * on Thursday February 07, 2008 @01:14PM (#22335688) Journal
    So, at first I wondered why an anti-virus man was basically blowing huge holes in the usefulness of his industry by coming out with quotable nonsense, for example:

    But if a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000,"

    No. If you mandate long passwords on the server, there are no short passwords. That's sort of the point.

    But then, I read on in the article (yeah, I know, it's /., but what the hell), past the flawed car analogy and it became clear - he's making nonsense statements at the start to try and hide his introduction of the meme that an anti-virus program that doesn't really work is still a "really good thing"(TM).

    Now, don't get me wrong, *any* protection is obviously better than none, but this is basically a surrender - instead of selling the common (wrong, but common) "I have an up-to-date anti-virus package, I am protected" perception, they're now moving towards "Hey, we did the best we could; all those *old* virus's/virii(+) are *definitely not getting through". Woo Hoo.

    So perhaps I'm being overly cynical, but it seems to me like a corporate piece with quotable sound-bites (so it gets wide distribution) that tries to deliver the message "hey, we suck, but keep on buying our software", in a more acceptable-to-the-people manner...

    Simon

    (+) And with this, I hope to equally annoy the grammar and spelling nazis out there. [insert random deity] those people piss me off.
    • by Anonymous Coward on Thursday February 07, 2008 @01:27PM (#22335930)
      I can fully understand your cynicism, I share a lot of it. However, Peter Tippett does not work for Norton any more. He works for Verizon Business in their Risk Intelligence, and he has spent the past several years doing actual research on risk on an Enterprise level.

      Maybe he's wrong, but he isn't trying to sell you any software.

      Ben
      • Off-topic, but who cares... I'd be interested in knowing how his research is going. I believe he holds both an MD and a PhD, making me think that he's probably a pretty smart guy!
    • What did you expect? This is the same website that gives a periodic voice to Rob Enderle [darkreading.com] as if he were some sort of security expert... :/

      /P

    • Not only that. (Score:5, Insightful)

      by khasim (1285) <brandioch.conner@gmail.com> on Thursday February 07, 2008 @01:31PM (#22335994)
      But he's confusing ATTACKING a specific company with INFECTING various machines.

      They are not the same. The defenses are not the same. There may be overlap (a workstation at a company gets infected and sends out spam vs a workstation at a company gets cracked and is used to crack other boxes at that company) but that is all.

      All in all, he's 100% backwards on his comments. Just what you'd expect from someone trying to push a specific product from a specific company.
  • by CowTipperGore (1081903) on Thursday February 07, 2008 @01:15PM (#22335696)

    Peter Tippett thinks it's time for security professionals to wake up and stop wasting their energy. In a presentation here yesterday, Tippett -- who is vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton Antivirus...
    Peter Tippett invented the computer condom? You just know that his resume also lists a job somewhere in penetration testing.
  • That efficient? (Score:4, Insightful)

    by Rampantbaboon (946107) on Thursday February 07, 2008 @01:16PM (#22335722)
    About 3/4 of the work done by the average corporate department is useless. Congrats on the efficency, security people.
  • Wow,

    10 years ago he was saying exactly the same thing. It's still relevant, but nobody has been listening.
  • 1/3 + (Score:5, Interesting)

    by globaljustin (574257) <<moc.liamg> <ta> <labolgnitsuj>> on Thursday February 07, 2008 @01:17PM (#22335738) Homepage Journal
    Tippett is right on with this, and I'd venture we could go further. Think of how much money is wasted on redundant security and the people to operate it, now add to that all the time and productivity wasted b/c rank and file employees have to navigate under such redundant incumberments.

    I honestly feel like 9/11 and it's aftermath has *something* to do with how several sectors of our country are tripping over themselves to implement unnecessary, bloated, counterproductive measures in the name of 'security'.

    Existence is insecurity. The only way for something to be 100% secure is for it not to exist.
  • by circletimessquare (444983) <circletimessquare AT gmail DOT com> on Thursday February 07, 2008 @01:17PM (#22335748) Homepage Journal
    is stupid because somebody can just kick in a window

    except it isn't stupid. if someone is determined enough, they will break into my house, no doubt. most of the security features on my house are meant to deter those with a casual interest

    same with all of the efforts that tippett pokes holes in. well yeah, duh: every single security effort in the world is surmountable. what's the value in pointing that out? none

    that someone can get over your security measures with effort is not an argument against the lowest level of security. the lowest level security practices always has value: against casual transgressions
    • Re: (Score:3, Interesting)

      by phliar (87116)

      The biggest effect these lowest level ineffective gratuitous "security" measures have is to annoy everyone and make lots of money for the security companies. Good security is a matter of quality, not quantity.

      Let me give you an example: I work downtown in a building of 10 floors, surrounded by buildings of around 50 floors. There are only offices in this building, all very boring and white collar. We already have card-readers on the doors on each floor. You also have to swipe your card in the elevator or

    • by Firethorn (177587)
      having a lock on my door is stupid because somebody can just kick in a window

      Personally, I think it'd be more along the lines of putting a X09 [taylorsecurity.com] lock on your door.

      Even a fairly cheap lock is going to hold up better than a window - of course, like different methods compromising a computer network, there are variances in detectability, cost, danger, etc... Opening a door is cheap, bypassing a handle-lock takes more skill but is generally hard to detect, a deadbolt even more expensive. Long before you get anyw
  • Defense In Depth (Score:5, Insightful)

    by ThaNooch (1186931) on Thursday February 07, 2008 @01:19PM (#22335778)
    No one is trying to create an Iron Curtain. Security departments (most of them hopefully) are taking numerous measures to prevent breaches. Including access controls preventing one compromised computer from getting all the marbles via role-based or well-configured discretionary access controls, appropriate traffic filtering and intrusion detection techs.

    Risk management is the specific practice of minimizing the greatest risks (what will do the most harm and will be the most likely to happen). And for the most part everyone realizes that no risk can be completely eliminated, so we mitigate them as best we can and rely on fundamentally sound access controls et. al. to limit the effect of any breach and hopefully know about and plan for unforeseen circumstances by planning for certain categories of attacks.

    Hopefully I'm right, because if I'm not... I'm scared.
  • by FudRucker (866063) on Thursday February 07, 2008 @01:20PM (#22335796)
    a small poem (haiku style), it is difficult to type correctly because of intentional typos and a few numbers substituting for letters, i even get it wrong myself about 1/3 of the time even though i know it by heart...
    • by gnick (1211984)
      Wow... That sounds a little overly-paranoid unless you're worried about being heavily attacked by a well-funded government. Even really dedicated crackers quit at the 14-char letter/number/special char rainbow table level...
  • by whitehatlurker (867714) on Thursday February 07, 2008 @01:20PM (#22335808) Journal
    1) Not all "vulnerabilities" are dangerous. Yes, there are a lot of junk security warnings out there. Part of the security officers' duty is to separate the chaff from the kernels.

    2) You're only as secure as your weakest password. We knew that.

    3) This guy shouldn't talk about seatbelts.

  • Dirty Little Secrets (Score:5, Interesting)

    by dschuetz (10924) <{slash} {at} {david.dasnet.org}> on Thursday February 07, 2008 @01:27PM (#22335924) Homepage
    Sort of reminds me of Bruce Potter's "8 Dirty Little Secrets of Information Security." The premise of that talk was pretty much that anti-virus, firewalls, IDS, etc., were all just band-aids that masked the real problem: We write (and buy) crappy products. He even showed an extensive quote regarding current threats and the inadequacy of counter-measures, and after everyone in the audience had finished nodding their heads, revealed it was from 1972.

    We've been fighting the same problem, in the same way, for 35 years. It's time we regrouped and found a better way to attack it.

    Here [dc414.org] is a copy of the DefCon version of the speech (I think he's given it a few different places, so there are subtly different versions out there). I'm sure the video is floating out there somewhere, too (though I couldn't find it on YouTube). He's fun to watch. :)
    • by Aladrin (926209) on Thursday February 07, 2008 @02:18PM (#22336804)
      You say 'crappy product' and I say 'so complicated there's no chance of eliminating all bugs.' (A ton of people just decided that I'm a Microsoft fanboy, and they're all wrong.) It doesn't matter what operating system you use, by its very nature, it is too complicated to completely remove all bugs in any meaningful timeframe. Nobody tries to say Windows, OS X or Linux are bug-free. Instead they talk about how fast bugs are patched after they are found and reported.

      Of course they're bandaids on the real problem. So are cars, if you must have another car analogy:

      The problem with distance is that it takes so long to travel it. Cars are a bandaid on the distance problem. We've been fighting that problem for a lot longer than 35 years. It's time we regrouped and found a better way to attack it.

      The reason antivirus/etc exists is that we have never found a better solution. It's just that simple. I'm all for thinking and planning, but it's no magic. If we all put our heads together right now and work on -nothing- else, we might never find a solution. There's no guarantee that there -is- a better solution.
      • by dschuetz (10924)

        It doesn't matter what operating system you use, by its very nature, it is too complicated to completely remove all bugs in any meaningful timeframe. Nobody tries to say Windows, OS X or Linux are bug-free

        But it's not just about bugs, it's also about design. At its core, following good software programming practices both to avoid bugs or unforeseen vulnerabilities, but also to ensure that systems are actually designed with security in mind in the first place.

        I can't think of a good example offhand, but imagine building a to-do application for yourself, then letting other people use it, then deciding to make it a true multi-user product and bolting on some kind of user authentication system. It's almost ce

  • There may be something of value here.. it's really hard to say as the article author chose to take a bunch of analogies out of context, and give few details. Essentially this article is useless. The only thing I got out of it is "we're focusing on the wrong things in security, for example passwords and viruses." That's probably true, but it sure doesn't tell me much.

  • "Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus"

    I'd be more prone to listen to security practices from the guy who...say...invented cheese string...
  • by SCHecklerX (229973) <thecaptain@captaincodo.net> on Thursday February 07, 2008 @01:47PM (#22336288) Homepage
    What Tippett is saying is already well known by security professionals (at least the ones who know what they are doing...risk analysis is part of the CISSP exam, is it not?). The problem is that despite this, we are forced to do expensive and less useful (useful at all?) stuff by management because they are the "decider". Companies that actually have a CISO with competent staff have a decent chance at doing it right, but in my experience, many companies don't, so you end up deploying stuff just because management likes to deploy new 'security systems' rather than actually address the security posture of the company.
  • I think Tippett's right, most corporations are living in a house of cards--it's securing the net in some cases and in others it's the reverse--most firms are taking a shotgun approach with vulnerability research and patching.

    I see it being more related to the medical field, prevention is great idea (and has been a popular topic lately), but treatment is just as important and not to be forgotten.

    I think he's really suggesting that business practices slow down--for instance, sure it's a painful to have a

  • Instead of long passwords, how about random user names. Not usernames based on their real names or on a simple sequential number. If they cannot figure out a person's user name, password cracking is pretty hard.
  • As I understand it, the first antivirus program ever to have existed (although not marketed as such at the time) was the UNIX rm command. This was followed by clones in other UNIXes, and in the popular DOS operating system in which it was invoked with del.

    Used in conjunction with the killall command, it is a very powerful tool indeed. Beats Norton anyways.

Going the speed of light is bad for your age.

Working...