Security Industry Faces Attacks It Can't Stop 305
itwbennett writes "The takedown of the Mariposa botnet and so-called advanced persistent threat attacks, such as the one that compromised Google systems in early December, were hot topics at the RSA conference last week. What both Mariposa and the Google attacks illustrate, and what went largely unsaid at RSA, was that the security industry has failed to protect paying customers from some of today's most pernicious threats, writes Robert McMillan. Traditional security products are simply not much help, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. 'All of the victims we've worked with had perfectly installed antivirus,' he said. 'They all had intrusion detection systems and several had Web proxies scan content.'"
Re:First (Score:3, Informative)
Perfectly perfect installs of antivirus? As in, perfect enough to be NSA backdoors? Other articles mentioned that the exploits were there because of NSA mandates for data access that we can safely assume to include internet-facing Windows computers. If that's true, then the NSA are a helluva lot more stupid(or lazy) than they claim to be.
Yeah and then Schneiner stated in a retraction that that wasn't the case.
Well duh (Score:1, Informative)
Antivirus is a joke, and always has been.
You don't fix a software problem with more software. You fix the software.
If you can't fix the software, you do your best to avoid situations where it will be attacked. In other words, don't punch the monkey.
I don't run AV, I do run XP, I don't punch the monkey, and I don't get viruses.
Training users at some megacorp to not PTM is a lost cause. Fix your s***, and forget AV.
Not that hard to believe... (Score:5, Informative)
The dark side of computer "security" pays far better than the good side. I was contracted to setup a number of servers for a company, and as it turned out, they were part of this "dark side." I told them I had an ethical conflict, and decided to remove myself from the situation about 2 hours into it.
The problem is, other than the coders and the boss, many people do not know they are working for these companies. This particular company had about 15 people. 3 were in the know, the other 12 were support for shipping, gathering information, making contacts, and advertising, etc. When dealing with spyware/malware, there is a lot of butt covering, and evasion.
The programmers in particular were amazing coders, some of the best that graduated at the same university I went to. This is how I got contacted to help. Only after we started talking did I realize what they were all about. The pay was almost double what they would have made at a legitimate company.
PA security officer fired for talking at conferenc (Score:4, Informative)
Our state CISO [pennlive.com] was fired when he got back from the conference because he spoke about a hacking incident to the state's DOT site which allows one to schedule driver's exams. Apparently, it was initially presumed the attack came from Russia but was later found to have come from Philadelphia where a driving school had exploited a vulnerability in the web site to schedule more driving tests than there were allotted slots.
By exploiting this vulnerability, the driving school was able to close all available slots EXCEPT for the school so everyone else had to wait up to 6 weeks to schedule a test.
He was a scheduled presenter with over 24 years in IT in both the public and private sector. He was recognized, according to the RSA schedule, as "one of the most high-profile experts in the field of securing the data of American citizens today."
As you read the comments after the article, it's clear that some folks with knowledge of the subject insist he went out of bounds on the subject while others consider what he did to be a normal part of the IT security process.
I'm only posting this as it does relate to the overall RSA conference. Note that the web site indicated will probably prevent reading the article after a certain time has passed so read it now. In addition, here are two other sites which talk about the firing:
Site one [scmagazineus.com]
Site two [threatpost.com]
Further, here is an article [techtarget.com] which talks to the firee after he became the state's first CISO and what he had to contend with.
Re:Security theater (Score:4, Informative)
Re:No. The core problem goes deeper. (Score:3, Informative)
And how do you think this is going to happen? If it's manual then most users are going to just click through saying it's good all the time or when they get fed up by this behavior they'll just uninstall it.
If computer security has taught us anything, and it hasn't, it's that you can't protect users from themselves. Not only are they their own worst enemies, but they are never the person they blame when this happens. All PC's should come standard with a mirror.
... and newer) desktops out there with a magic bullet. At some point the users need to share the blame and responsibility for their actions (or lack there of) when it comes to their computer's security.
I'm not letting MS off the hook - they need to get their sh!t together, but it's impossible to retrofit all the XP (and older
Because if it can't do it with 100% accuracy, then you're going to get lots of complaints about bad files being thought of as good or good files being shitcanned as being bad.
This is very true. Though in the big scheme of things I would imagine a user would rather be irritated by an errant "No write for you!" as opposed to the havoc an infection wreaks.
Re:Yeah, read the whole thread. (Score:4, Informative)
Re:Not that hard to believe... (Score:3, Informative)
Ethical conflict? Jesus what are you, Canadian?
As a matter of fact, I am Canadian...
Re:Hell, why aren't the banks cracked? (Score:3, Informative)
Because they are monitored and recovered.
Fraud happens all the time, but the banks have developed heuristics to stop it before too much money is lost. Often transactions can be rolled back and accounts frozen before the money disapears, but not always.
Banks do lose huge amounts of money however, much of it through credit card fraud. That's the reason credit card interest rates are as high as they are. Customers are willing to pay those rates for easy access to money, so there is no incentive for US banks to move to something more secure like chip&pin or other techniques. Also, much of the cost of fraud is pushed back on the merchants, who have virtually no say in the card security policies.
If you're interested in learning more, there's some great inforation that was presented to the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology as
“Do the Payment Card Industry Data Standards Reduce Cybercrime?” on Tuesday, March 31, 2009 from the perspective of both the merchants and the credit card industry.
http://hsc.house.gov/Hearings/index.asp?ID=185 [house.gov]
Some good selections from the talks can be heard on the Risky Business podcast, episode #102.
http://risky.biz/netcasts/risky-business/risky-business-102-washington-spanks-pci-dss [risky.biz]
Re:Free only if time is worth nothing (Score:3, Informative)
So in other words, you're saying preinstalled Windows is free only if your time is worth nothing. Where have I heard that one before?
No, he's saying that the total cost of Windows is greater than the purchase cost of Windows. He's also saying that the total cost of Windows is greater than the total cost of some alternative, one which doesn't have the same problems.
Viruses exist for all operating systems.
True.
ake GNU/Linux on x86 for example: a virus running as a limited user can infect all programs installed into a user's home directory.
Also true, with the caveat that on GNU/Linux, a downloaded virus doesn't automatically have the ability to be run.
If Linux had majority desktop market share, it would have the same virus problem as Windows.
This is a non-sequitur, none of your prior assertions implies this.
Windows has RTM through Service Pack 3; Ubuntu has Hardy Heron through Karmic Koala.
Number of upgrades is meaningless, cost of upgrades, in both time and money, is meaningful.
What operating system doesn't need to reboot for a kernel update?
I'm not sure about other *nixes, but rebooting for a kernel update isn't strictly necessary in Linux if you use KSplice.
Re:Ksplice patent (Score:3, Informative)
True, a downloaded malicious program needs to be chmod +x, just like the installer for any other program that sits outside the package system. But what exactly were you talking about?
The comparison I was making was to downloaded .exe files in Windows, which by default are executable.
The only time you need to pay for a Windows OS upgrade is either A. for a new machine or B. for the equivalent to an upgrade from one Ubuntu LTS to the next LTS.
A regular release upgrade in Ubuntu is not equivalent to a ServicePack in Windows. Nor is an LTS release upgrade necessarily equivalent to a regular release upgrade in Windows. But either way, Ubuntu releases will continue to be free, where as you'll eventually run out of SP upgrades on your version of Windows.
Ksplice costs 48 USD per year [ksplice.com] unless you're on Ubuntu, and it isn't available for SuSE or Fedora at all.
KSplice Uptrack is a service that costs money. KSplice itself is open source, and available for free [ksplice.com].
Bitfrost vs. XNA (Score:3, Informative)
As I mentioned before, the web in a way handles this by simply not allowing "web applications" to do anything really damaging. That concept is how I think applications should actually evolve, although it is hard to define "not doing damage" for an application.
The Sugar operating system on OLPC's XO-1 laptop has an interesting model for sandboxing applications, called Bitfrost [laptop.org]. But then Bitfrost presents a new API onto which Win32 and POSIX don't easily map.
To some extent, current anti-virus companies, I believe, handle this by continually checking their software against popular software packages and making sure they do not get marked as false positives (or, well, actually have viruses in them).
Some do a better job than others. ClamWin, in particular, uses the ClamAV definitions that are designed more for scanning e-mail than for scanning a hard drive, and for files that aren't often e-mailed (such as Excel.exe), ClamWin shows all sorts of false matches.
In short, yes, whitelisting has issues because, as you say, maintaining the whitelist sanely and securely is a difficult (impossible?) problem.
It's possible if you're Microsoft or Apple. These companies have the resources to maintain a central whitelist called Xbox Live Marketplace or App Store, and their platforms are popular enough and homogeneous enough that they can get away with charging developers $99 per year for XNA Creators Club or iPhone Developer Program to run self-compiled programs on a developer's own machine. Frankly, I prefer the Bitfrost model more.
Re:Correlation can imply causation. (Score:3, Informative)
A proof in Logic is the situation where every row in the table contains "true", in other words, if the statement is a tautology. Now in the truth table you linked [wikipedia.org], the second line is false, so you cannot prove "if p then q" for every "p" and "q".
Now you could argue that we're not talking about every "p" and "q", but only about the true ones. But then you would establish causation between every two true propositions:
From p = "1 + 1 = 2" and q= "France is a European country"
would follow, by your logic, "if p then q" and also "if q then p".
Even more, from the table you could prove that "if 1+1=3 then France is a European country" and "if 1+1=3 then France is an American soft drink" as being true.
For classical proposition logic, the "content" of a proposition is its truth value and nothing but its truth value. This is fine for AND, OR and NOT, but with "IF THEN" you get all kinds of problems [wikipedia.org]. The material implication is not a good model for causation, that's why there are things like for example relevance logic. [wikipedia.org]