Security Industry Faces Attacks It Can't Stop 305
itwbennett writes "The takedown of the Mariposa botnet and so-called advanced persistent threat attacks, such as the one that compromised Google systems in early December, were hot topics at the RSA conference last week. What both Mariposa and the Google attacks illustrate, and what went largely unsaid at RSA, was that the security industry has failed to protect paying customers from some of today's most pernicious threats, writes Robert McMillan. Traditional security products are simply not much help, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. 'All of the victims we've worked with had perfectly installed antivirus,' he said. 'They all had intrusion detection systems and several had Web proxies scan content.'"
I'll give you a clue... (Score:5, Insightful)
the "victims" were all running MS Windows...
Re:First (Score:3, Insightful)
[citation needed]
Oh and conspiracy theories are not adequate citations. You could at least try to not sound like an idiot.
Surely we've seen this before... (Score:1, Insightful)
Oh... like how the police can't prevent crime?
No. The core problem goes deeper. (Score:4, Insightful)
The "security industry" is NOT interested in putting itself out of business by selling WORKING products.
That's why the "perfectly installed antivirus" gets daily updates and STILL CANNOT TELL A GOOD FILE FROM A BAD FILE.
Here's a radical new concept. How about an antivirus program that BLOCKS file writes to the operating system UNLESS that file can be confirmed to be "good"?
It's far easier to identify the files that SHOULD be allowed than it is to identify a possible threat.
Stating the obvious (Score:3, Insightful)
AntiVirus is imperfect as it relies on signatures and known processes, and will always be imperfect. Same with IDS and the lot of it.
In my opinion, as long as the security industry, and end-users as a whole, continue with the thought that end-user basic security ignorance is OK, things will never get better. The sooner all end users are clued-in instead of clueless, the sooner we may have a ray of hope.
Re:I'll give you a clue... (Score:1, Insightful)
Funny, when a statement like that concerning any other subject appears on the front page, it gets a "CorelationIsNotCausation" tag. But since it's an easy shot at MS, it gets modded up here...
In summary; (Score:5, Insightful)
Industry slow to respond to challenges (Score:3, Insightful)
Film at 11.
One thing that shouldn't surprise me anymore but keeps surprising me is that it seems like the more money you pay for software, the more half-assed it is. You get an off-the-shelf product like Quickbooks, it's impressive. You look at stuff that's industry-specific, specialized software that doesn't have a lot of competition, it costs thousands and feels primitive in comparison. It must be the lack of competition means there's no real reason to improve the product beyond what it already does.
I'm sure there are some exceptions to my experience, naturally. But these niche applications generally seem to be very expensive and primitive.
Who has authority to confirm something as good? (Score:5, Insightful)
How about an antivirus program that BLOCKS file writes to the operating system UNLESS that file can be confirmed to be "good"?
Who has the authority to confirm, say, your shopping list as good? Or, if you're considering only files marked executable, a shell script that your co-worker wrote?
Re:I'll give you a clue... (Score:4, Insightful)
It's Microsoft's product which is the target of these attacks. IMO the grandparent should be tagged captainobvious, rather than being tagged correlationisnotcausation.
When you hear about a massive distributed attack against Mac OS X and linux which goes undetected for a while, let us know.
The scary thing is... It could be happening right now! Quick! Unplug your ethernet cable and turn off your wireless radiooo!! They're gonna get youuuuu!!!
No perfect security. (Score:5, Insightful)
There is no perfect security, offline or online.
I like to say there are 3 main types of attacks:
We have mechanisms that are pretty good at class 1. We can shore up our defenses enough to not be the low hanging fruit to get some protection against level 2.
Level 3 is only starting to enter the public eye. There is no defense that will withstand a well funded targeted attack. The best you can do is make it too difficult for most attackers, and monitor and clean up after the really good ones.
This is true for airline security, concert security, bank security, web site security, and network security. There is no impenetrable defense for any of these. You minimize the risk as much as you can, then build your systems so they can be effectively monitored and rebuilt/restored in case of attack.
Targeted attacks are a different animal (Score:5, Insightful)
That's what makes "spear-phishing" so ridiculously dangerous - if the attacker is spending his entire day on you specifically, you're going to need a little more than an off-the-shelf unmonitored solution. And if you're a "high visibility target" then you are going to need even more, defense in depth and a dedicated team for your security. It's not reasonable to expect "but I installed Norton!" to come from a CEO of a big company for example. Bigger assets require better, customized defenses.
Bigger targets attract more than script kiddies and people that are buying hacking kits. They attract entire groups and organizations of highly skilled and specialized hackers that know how to analyze your defenses, have experience getting around all but the industrial grade security tools, and can customize their work and cover their tracks.
It's no different than complaining that neighborhood security is a mess because your padlock didn't keep your bike from getting stolen. If you have a really nice bike, and a smart thief really wants it, you'd better have something better than a crappy $7 masterlock on it. You can't blame the lock if the bike gets stolen. You were using the wrong tool for the job and the outcome should come as no surprise. You were expecting way too much (security) from way too little.
So why not change it? (Score:5, Insightful)
The problem is that they haven't even hit the 50% mark. They cannot even, reliably, detect threats that are over a year old.
Exactly. Which is why that needs to change. Instead of trying to chase the latest variant of a threat, why not save time and effort and identify the LEGITIMATE files? Then, if something is trying to write a file to the OS portion of your drive, and that file is not recognized, it should block it (and MAYBE allow the user to override it after a few hoops and maybe online comparisons with the latest threat databases).
I think it is different. The "security industry" depends upon the ignorance of users and the continuation of those users being infected.
It is not in the "security industry"'s best interest to commit to real improvements in security.
Is your shopping list executable? (Score:4, Insightful)
No? Then it isn't an issue.
Now, if you're trying to store your shopping list on c:\windows\system32 ... then the anti-virus app should block you.
As for who has the authority ... that would be the anti-virus vendor. The same people who you've given the authority to tell you what is a virus today.
A side benefit of this would be that the anti-virus app could also tell you that you have vulnerable, unpatched apps on your system.
Re:Stating the obvious (Score:3, Insightful)
So how do you explain the free ones not being perfect, then?
Re:I'll give you a clue... (Score:4, Insightful)
Are you trying to say that Google uses MS Windows for it's websites and database servers?
Yeah, read the whole thread. (Score:3, Insightful)
Yeah, read the whole thread. You might notice that that was my original point.
The "security industry" has no real interest in solving (or reducing) the problem because they're making so much money off of it.
If they did want to fix the issue, the simple example I gave would go a long way towards doing just that.
But they don't do that. See the sentence above the sentence right above this one.
Re:Stating the obvious (Score:2, Insightful)
Just wait until YOU have kids. You'll go off to work, secure in the fact that you're an enlightened end-user as far as security goes, and when you get home from work, you'll see how much damage kids can cause in the 2 hours between the end of their school day and the end of your work day.
And, when that happens, just let me say in advance: HA HAH!
Re:Yeah, read the whole thread. (Score:3, Insightful)
Yeah, read the whole thread. You might notice that that was my original point.
And yet you think they are magically going to be able to implement an automatic white listing mechanism?
The "security industry" has no real interest in solving (or reducing) the problem because they're making so much money off of it.
And because many of them are just flat out incompetent.
If they did want to fix the issue, the simple example I gave would go a long way towards doing just that.
But they don't do that. See the sentence above the sentence right above this one.
And would be just as fraught false positives and negatives as their current software.
Hell, why aren't the banks cracked? (Score:3, Insightful)
If security is that difficult, then why haven't all the banks been emptied by now?
Re:Windows tax deduction (Score:4, Insightful)
There are some problems that you have to pay money to have.
True, but Windows OS isn't one of them. It costs just as much to buy a PC for a home or small office without preinstalled Windows OS as it does to buy one with preinstalled Windows OS. The common explanation for this is that major shareware publishers subsidize the cost of a Windows OS license by paying PC makers to include unregistered versions of their products in the default install.
You are asserting that the costs of a computer end at purchase, they do not. With Windows, the purchase price is only the beginning of your costs. Anti-virus, maintenance, upgrading, rebooting, these costs dwarf the purchase price.
Re:I'll give you a clue... (Score:2, Insightful)
There is a shortage of malware available to exploit those idiots, however.
Correlation can imply causation. (Score:1, Insightful)
Correlation can very well imply causation. Let me prove it to you:
Re:Industry slow to respond to challenges (Score:3, Insightful)
Re:No. The core problem goes deeper. (Score:3, Insightful)
Note that that was installed from a non-Ubuntu source, effectively breaking the whitelist.
It's simple to tell your users they can only install from the Ubuntu repositories, and set up controls that would keep most users from being able to install other software...
Once again, no defense against a skilled user who really wanted to install something either in windows or Linux, but setting the policy along with reasonable protection measures keeps most users from installing dancing bears screen saver malware.
Re:No. The core problem goes deeper. (Score:4, Insightful)
You mean like how OSX and Linux does WITHOUT Antivirus?
It's called permission. yes you can still get past the user by confusing of tricking them. but any OS that allows a user (not a superuser but a regular user) to run a program that silently infects a system file is a defective and poorly written system.
People claim that OSX has no viruses because it's a tiny target. Most people that have a mac have a lot more money than a PC user, that makes them a juicy target for stealing info. yet I still dont see the flood of problems under OSX. Why? it's the underlying security model of the OS that BSD brought to the table and that Linux also has. Your userland app CAN NOT WRITE TO OS FILES without permission.
To hell with telling good from bad, let's violently force all OS's to stop the poorly designed behavior of allowing ANY app to happily write to system files. That mans getting rid of the security nightmare abortion that is the registry.
Re:No. The core problem goes deeper. (Score:4, Insightful)
Really? so all mac users hate their mac and wish they had a Windows PC? Because that exact behavior is what OSX on it's own does.
Program writing to where it should not? Prompt user for administration password and ask if it's ok to do so. Seems to be that MOST people like it contrary to what you think.
Re:In summary; (Score:2, Insightful)
Fixed that for you.
Re:I'll give you a clue... (Score:4, Insightful)
Or perhaps stop using losing strategies like Default Permit when it comes to security.
AV software is just an example of Enumerating Badness which in the long run is a very very bad strategy.
Penetration testing is useless as anything other than a metric of how well the system is set up.
If penetration testers check your network and find 100 vulnerabilities and you dutifuly fix them all you're barely more secure than before because the problems that lead to those security holes being there in the first place haven't been addressed and it's almost a certainty that there are many many more.
It's an example of "Penetrate and Patch" which is a terrible way to do security.
The problem isn't windows. the problem is that people keep using terrible strategies.
AV software is useless against a custom virus I write just for attacking your system.
Blacklists aren't much good since an attacker only has to get through once.
Penetration testing is cool but it's not a way to secure your network.
and yet these things are the standard for approaching security.
Re:Security theater (Score:3, Insightful)
When people call me a thief for viewing pages without ads (by blocking Flash), I rebut with this. I trust Slashdot. I may not trust Slashdot's advertising partners. And Slashdot doesn't (and probably can't) vet the ads before they're displayed.
Here's a recent example of malware-infested ads appearing on a pretty big site:
http://news.cnet.com/8301-27080_3-10466753-245.html [cnet.com]
Specifically ads included in the Drudge Report:
http://news.cnet.com/8301-27080_3-10466044-245.html [cnet.com]
I've often been tempted to go all out with ad blocking, not because I hate ads, but because a new exploit could make e.g. simple images a vector for attack.
Layered Defenses (Score:4, Insightful)
Or we could do true layered defenses in security and redesign the OS to support them. Don't put crap into ring 0 just for "performance" purposes. Use micro-kernels and use messaging systems for interprocess communications. Place OS files into their own, protected partition and control access rigorously. Sign them. Allow unsigned drivers if need be, but sandbox them. Limit "shared" libraries and directories (hello Microsoft and Adobe). Drop legacy application support unless seriously sandboxed in a virtual environment. Heck, sandbox current applications the same way. And so on.
Today's processors and multi-core systems are fast enough to handle the overhead. Drives are huge. Allocate a full 10% of the processor budget to security. Why should we not sacrifice a few FPS in Quake or Unreal for hardened systems that are much, much, much more resistant to tampering and infection?
We know what we need to do. Just do it.
Re:I'll give you a clue... (Score:3, Insightful)
Well if I'm writing my virus from scratch then it doesn't really matter since the AV won't detect my virus until the company detects it, analyses it and adds it to their definitions.
So the 95% of the market it is.
Re:Is your shopping list executable? (Score:4, Insightful)