Is Whitelisting the Answer To the Rise In Data Breaches? 195
MojoKid writes "It doesn't take a rocket scientist to figure out that cyber criminals are quickly getting more sophisticated than current security, intrusion detection and prevention technology can defend against. And you have to wonder if the computer security industry as a whole is willing to take the disruptive measures required to address the issue head-on. One way to tackle the surging data breach epidemic is with a technology called "whitelisting." It's not going to sound too sexy to the average end user and frankly, even CIOs may find it unfashionable but in short, whitelisting is a method of locking-down a machine such that only trusted executables, DLLs and other necessary system and application components are allowed to run – everything else is denied. A few start-up security companies are beginning to appear in this space. The idea is to start with a known, clean system installation and then lock it down in that state so absolutely nothing can be changed. If you follow system security, regardless of your opinion on the concept of whitelisting, it's pretty clear the traditional conventions of AV, anti-malware, intrusion detection and prevention are no longer working."
"whitelisting" (Score:5, Funny)
Yes, yes, tell me more about this novel concept, I have never heard of the term before
Re: (Score:2, Redundant)
Problem: Data Beaches
Reaction: Whitelisting
Solution: Censorship
And by the way, Beta sucks.
Re:"whitelisting" (Score:5, Insightful)
How many of us are running programs similar to NOSCRIPT mostly because of hostile code and inattentive webmasters unwittingly distributing malicious code wrapped in advertisements?
I learned about NOSCRIPT right here on Slashdot ( Thanks, guys!!! ) in response to one of my posts where I was whining ( loudly ) about not being to be on the net for more than a few hours before I had to reboot Windows to try to get my system back.
There is a lot of nasty stuff out there, and it seems most of it comes riding in on scripting or coaxing me to run their attachment. Often I have seen them try to piggyback on the trust I have for a business - a business that places that trust at risk if the business insists I enable javascript for his site, then the bad guy uses that coercion of the business model to his own advantage.
I think that is what a lot of the clamor here has been all about. We see wealthy investor type men taking control from the techie base and may force us to "drop our defenses" in order to communicate, and we are collectively screaming "NO" as loud as we can to the deaf ears of the businessman.
I think we have all seen the suit people take down a business, and we don't want it happening here.
Re: (Score:2)
"How many of us are running programs similar to NOSCRIPT mostly because of hostile code and inattentive webmasters unwittingly distributing malicious code wrapped in advertisements?"
Generally speaking, NoScript is blacklisting, not whitelisting. Although you can whitelist programs in NoScript to prevent them from being blacklisted. :)
Newer versions of OS X use whitelisting by default, for unsigned executables.
Re:"whitelisting" (Score:5, Insightful)
Most data breaches have occurred within a company, and the only way around it is to segment the networks and servers so that only select computers have access to financial data, others have access to HR data and yet others have access to strategic documents. Then it depends on company type if yet more segments are needed. In most cases the software development can go in one segment - the majority of the software developed is bread&butter. But in other cases special projects may need their own segment. Also make sure that all printers have their own sub-segment of each segment to make sure that any printer that has been hacked isn't going to have access to all the data, just the print data.
Of course - this goes against the strategy of installing everything in one huge server running virtual servers.
Whenever there is a need to exchange data it has to require manual action between individuals in both segments.
And for browsing the internet - run a sandbox solution to isolate any browsing from the remaining network. It may mean that the web browser is on a special server. If that server is contaminated it's not a big problem to rebuild it.
Re: (Score:2)
Virtualisation has limits (Score:2)
Unfortunately, though it's relatively rare, vulnerabilities allowing software to "escape the virtual machine" are not unheard of. For the kind of security model we're talking about here, you ought to be running isolated segments on completely separate physical systems that can communicate only via controlled channels with suitable safeguards like firewalls and DMZs in place, if they even need to communicate at all. Basically, each segment in your network should regard traffic from any other segment as poten
Re: (Score:2)
Re: (Score:2)
Think of the average level of intelligence - 50% of the population are stupider than that!
Intelligence is hard to come by, as evidenced that even on Slashdot so few have even a basic graps of statistics. It also explains why the pols can get away with so much...
Re: (Score:3)
O, i wish i had mod points....
I always thought that the "x" bit under unix was a kind of whitelisting mechanism (in combination with the "noexec" mount option).... or the security contexts under Windows or Apparmor or SELinux
But now, there is a new startup which wants to promote a product...
Re: (Score:2)
"Yes, yes, tell me more about this novel concept, I have never heard of the term before"
Of course you didn't know about them before. You even missed the basic point that it is not a concept but a "technology". It is said right there, in the article!
I for one will immediately buy a score of units of this new technology!
Re: "whitelisting" (Score:5, Funny)
Man, I wish there were appstores for whitelisted software!
Re: (Score:3, Insightful)
I'm SO sick of this 'Fuck Beta' crap.
YOU the /. community are one of most technically-able groups of users on the internet. Therefore, instead of whining about a FREE service that you no longer enjoy, why not group together and build something better? If it's better than /. (not hard...) then your user base will come. A handful of you could throw up a simple blogging system in a few hours, whilst you work on something permanent...
So instead of bitching about it to corporate owners who do not care, get of
Re: (Score:2)
"So instead of bitching about it to corporate owners who do not care, get off your arses and build something better."
There is a cost to forking the site; namely that the existing data of comments and discussions are locked up by Dice. So it's sensible to apply some political organizing and public protest in the hope that Slashdot comes to its senses and not effectively destroy itself with Beta. If that doesn't work, then of course forking the site is a reasonable backup plan. But not optimal due to lost dat
Re: (Score:2)
Brilliant... (Score:1, Insightful)
... next we'll make it impossible to emulate a trusted DLL ... oh, wait.
Re: (Score:3)
There was a guy at our university wanting to do some university psychology tests and figured the best way for the application to log the results was to send them as an E-mail to himself, where they could be timestamped independently. Only problem was that any application that wasn't on the PC's anti-virus whitelist was blocked from opening that port. So he just renamed his experiment application to "Agent.exe" and the anti-virus software allowed the message to be sent.
Hash (Score:2)
I am sure the white list contains the hash of the all the items.
Re:Hash (Score:4, Informative)
Exactly. Windows has a means of doing this built in from at least XP, but no app provided to automate it's management. You can setup the system so it will only execute binaries with approved hashes. Back around 2002/2003 we were playing with a program in house that would build a baseline of approved hashes on a clean system, then push that list out to our workstations. To get an app approved we would then fire up the clean box, install, update, push, etc. We never got it past the budget phase though, but it accomplishes exactly what OP is asking about. For point of sales terminals, etc that shouldn't be a moving target I'd say heck yes they should be in whitelist only mode.
Re: (Score:2)
System file checker (sfc) is a means of this isn't it?
If so, I believe that has been around since windows 98se and is intended to be administered by MS online updates after the initial instal. It's not terribly useful for files outside of windows core files though. but it is a pretty good check after a virus or malware removal to at minimum ensure you can get into an uncompromised safe mode to search for infection remnants.
Re: (Score:2)
Microware OS-9 from 1979 used program and modules somewhat like DLL or shared libraries. The code to load a module would CRC check them when loaded and that bit of code could check a list and that list could either allow or deny any module. If you loaded the right data module, you had built in white listing about 3 and a half decades ago.
Trusted program, untrusted use (Score:2, Informative)
What is someone breaks in, gets command line access and uses trusted commands to send the data elsewhere. The hacker used trusted programs to do the breach so white list would not stop it.
Re:Trusted program, untrusted use (Score:5, Informative)
All good security is layered. This is one part of a complete security model, the part that prevents the hacker from uploading and using his own tools.
Of course, you also need other parts. For example, runtime-patching is a reality, so unless you have additional protections in place to prevent it, there are plenty of ways that a hacker can still execute arbitrary code including entire programs.
But the primary protection this offers is to finally solve the exe-cloaked-as-jpeg-or-zip-in-a-scam-email-that-users-click-to-open problem that Mickeysoft should've solved 10 years ago by simply fucking removing that idiocity from Outlook one day after it went live and people realized how trivial it is to abuse.
Basically, the primary beneft of this will be that it prevents unintentional execution of code. It doesn't stop a dedicated attacker who already has root access, at least not by itself.
Comment removed (Score:4, Interesting)
Re:Trusted program, untrusted use (Score:5, Insightful)
Oh please do you REALLY think that is the cause of Windows infections?
Your reply was misplaced by the comment system, it seems, because it doesn't seem to refer to anything I actually said.
The social engineering angle is how you get users to execute crap they got sent by mail. The (old) idea under discussion here is a system that would make that execution impossible, even if you get the user to click the link.
That said, the user is not the weakest link. That's a cop-out by IT people who don't want to look beyond technical solutions into cognitive sciences, for example. There's been a bit of research into these areas in the past 10 or so years, but the conferences on the topic are still very small and mostly academic.
There's quite a lot you can do to prevent or at least make these kinds of attacks more difficult. But most of it is outside the techie comfort zone, and it means actually having to talk to users and understand them instead of labeling them "lusers" and stuff.
Re: (Score:2)
It depends on the context.
In a corporate environment: Yes, definitely.
In a private environment: Yes, for daily use. The admin account or whatever that you need once a month to install a new software, etc. would be in the users hands in this case.
Re: (Score:3)
This worked in limited cases, but not in business where workers are not volunteers, time is ab
Trusted program, untrusted use (Score:2)
What is someone breaks in, gets command line access and uses trusted commands to send the data elsewhere. The hacker used trusted programs to do the breach so white list would not stop it.
Well your machine is now compromised. You now have to ask the question "What can I do". Normally in a case like this you should do a fresh OS install from a trusted source (eg. bootable CD/DVD, USB key) followed by appropriate customisations then updates from a trusted source. You could do a recovery from your OS backup but if you have been compromised I would not trust this.
Obviously you may need to recover your user data if that has also been compromised but if are looking at an enterprise system or eve
Licensing and Cert Costs (Score:3, Interesting)
Or put the HD into Read only mode (Score:2)
Windows can be made to boot of DVD or read only media.
Now to also make %TEMP% with no execute allowed.
Re: (Score:3)
Doesn't do you much good if you don't know what you are signing, or something gets munged on its way from the vendor to IT; but you don't have to tithe to verisign if the machines are on your domain and will trust you as a CA if you t
Re: (Score:2)
Seriously? (Score:5, Insightful)
Why the flying fuck does anybody think Slashdot readers need to have "whitelisting" defined for them, let alone think they can pass it off as a "new technology"? Did Dice start putting those retarded SlashBI articles in main Slashdot now?
Re:Seriously? (Score:4, Funny)
As a manager these definitions really help me out. Could you tell me if these 'whitelistings' are webscale?
ps I really like the new slashdot beta site!
Re: (Score:3)
I'd mod you up, but duuuude, 'webscale' is sooo yesterday.
Leveraging your core value proposition thru social networking in the cloud is the new hotness!!!
I really dig the new beta site too - liked it on all my facebook pages and tweeted it too!
Now 'scuse me, have to update my whitelists and hosts files.
Re:Seriously? (Score:5, Insightful)
Though most, if not all of us, know what whitelisting is, I do prefer they explain it rather than assuming we know it. I've ran across too many articles in the past that assumed I knew some piece of information when I didn't. Sure, I can look it up but, that's annoying when your just trying to read "news." Though this is a site for "nerds", that is a broad term. There's computer nerds, science nerds, comic nerds, etc. Now, the passing it off as new... I've got nothing; that's just lame.
Re: (Score:3)
The way some sites handle this is by using the dfn element (or abbr) to actually explain what a term means or expands to. The regular reader just sees the term, but (typically) hovering over it will show the full definition / expanded form. That has always seemed like fair compromise to me.
Re:Seriously? (Score:5, Insightful)
Uh, yeah. The sort of dumbfuck managers who might conceivably read slashbi are the exact audience the beta design (fuck beta, BTW) is meant to appeal to.
The big idea, though unspoken, is clear: to keep the slashdot name, but shift in both content and presentation from a discussion site seeded with news for nerds to a straight-up news site (with discussion as an afterthought) for PHBs. SlashBI doesn't work because that name is not (and has never been) perceived to carry an aura of technical knowledge -- but PHBs have been hearing about this slashdot thing for a decade now. Rolling out a PHB-friendly site under the "slashdot" brand will help PHBs play one of their favorite games, namely indulging in the fantasy of deep technical knowledge without the inconvenience of learning -- and that means Dice makes big bucks placing ads in front of this "decision maker"-heavy audience. (This new audience is not only worth more to advertisers, they're also substantially less likely to use ad blockers than the old /. community.)
Re: (Score:2, Redundant)
Yes I know that he or she is posting as AC, but this so beautifully encapsulates where the 'beta' is headed that it really deserves to be seen.
The original slashdot users and discussion format simply don't fit into the 'passive content consumer' business model of dice, and no amount of posting 'fuck beta', or boycotting, or whining to Timothy or any of the other editors is going to change that.
Re:Seriously? (Score:5, Insightful)
It appears that the Dicedroids think everyone is as stupid and clueless as they are.
Already Possible (Score:5, Interesting)
Newer versions of Linux can already do this. Using the integrity measurement architecture, module signing, and Secure Boot it's possible to have a system where almost any change is detected. I'm currently trying to get it all working on my machine right now, but it's slow going. Here's hoping that distros start shipping with this set up by default. http://lwn.net/Articles/488906... [lwn.net]
A shorter term security measure that more users/Distributions should take is making the root partition read only. I know Android already does this, but it really does help. Something that I would really like to see is an easy to use per application firewall. Cgroups mean that I don't even have to worry about it just spawning a child process. Yes, I want to play this game in wine. No, I don't want it to access the internet. No, wine refuses to run it as a different user, much less one with lower privileges.
Re: (Score:2)
Newer versions of Linux can already do this. Using the integrity measurement architecture, module signing, and Secure Boot it's possible to have a system where almost any change is detected. I'm currently trying to get it all working on my machine right now, but it's slow going. Here's hoping that distros start shipping with this set up by default. http://lwn.net/Articles/488906 [lwn.net]...
A shorter term security measure that more users/Distributions should take is making the root partition read only. I know Android already does this, but it really does help. Something that I would really like to see is an easy to use per application firewall. Cgroups mean that I don't even have to worry about it just spawning a child process. Yes, I want to play this game in wine. No, I don't want it to access the internet. No, wine refuses to run it as a different user, much less one with lower privileges.
Take it from a former Solaris admin, difficult to maintain over-engineering is not the answer. It will fail, and users will hate you.
Question of the day: Why are single user smartphone OSs better at segregating processes than server OSs in the first place? Even while using basic UNIX features to do it?
These classic UNIX systems kind of need to roll over and fall into their graves already. I mean look at what you get with VMWare ESX, then look at iOS/Android, then look at say.. a RHEL-type classic UNIX se
Re: (Score:2)
It's relatively easy to get those features if you don't mind breaking all backwards compatibility. Which is what Android did.
It gives each separate process it's own UID, but has them all using a common display server. Then you combine the way that almost everything has to be done through the android framework with some special kernel patches. For instance, /etc is normally used for settings files, but that means special things have to be done if you want to mount root as read only. Especially since some
NetBSD can do this already (Score:5, Informative)
http://netbsd.org/docs/guide/en/chap-veriexec.html
Veriexec is NetBSD's file integrity subsystem. It's kernel based, hence can provide some protection even in the case of a root compromise.Veriexec works by loading a specification file, also called the signatures file, to the kernel. This file contains information about files Veriexec should monitor, as well as their digital fingerprint (along with the hashing algorithm used to produce this fingerprint).
Re: (Score:2)
Veriexec is NetBSD's file integrity subsystem. It's kernel based, hence can provide some protection even in the case of a root compromise.
Although.... the JunOS routers which are based on FreeBSD use veriexec. Upon boot, after mounting filesystems; the devices set veriexec to level 3 and increase the securelevel to 1.
Please read before modding down. (Score:4, Informative)
What company directs 25% of its users to a partially-working, not-ready-for-production website? Please realize that Beta will not have the features that we want, because it goes against Dice's plans for Slashdot. To their advertisers, Dice presents Slashdot as a "Social Media for B2B Technology" [slashdotmedia.com] platform. B2B - that's the reason Beta looks like a generic wordpress-based news site. A large precentage of the current userbase might be in IT, but /. is most certainly not a B2B site.
Nevertheless, Dice is desperate to make money off of Slashdot, since it has not lived up to their financial expectations, a fact that they have revealed in a press release [diceholdingsinc.com] detailing their performance in 2013:
Slashdot Media was acquired to provide content and services that are important to technology professionals in their everyday work lives and to leverage that reach into the global technology community benefiting user engagement on the Dice.com site. The expected benefits have started to be realized at Dice.com. However, advertising revenue has declined over the past year and there is no improvement expected in the future financial performance of Slashdot Media's underlying advertising business. Therefore, $7.2 million of intangible assets and $6.3 million of goodwill related to Slashdot Media were reduced to zero.
Beta is not a cosmetic change. It is a new design that deliberately ruins the one thing that makes /. what it is today -- the commenting system. There is nothing wrong with Slashdot, from the users' perspective, that demands breaking its foundations. As others have commented, this is an attempt to monetize /. at any any cost [slashdot.org], and its users be damned. Dice views its users, the ones who create the site [slashdot.org], as a passive audience. As such, it is interchangeable with its intended B2B crowd. We, the current users of Slashdot, are an obstacle in Dice's way.
That is why they ignore the detailed feedback they have received in the months since they first revealed Beta. That is also why they now disregard our grievances. Their claims of hearing us are a deliberate snow job. It is only pretense, since at the same time they openly admit that Classic will be cancelled soon [slashdot.org]:
"Most importantly, we want you to know that Classic Slashdot isn't going away until we're confident that the new site is ready.
Don't hold your breath waiting for Dice to fix Beta. Their vision of Slashdot is a crippled shadow of the site as it is today. Don't let them pull the wool over your eyes. Dice doesn't need us, and it wants us out.
Slashdice delenda est!
reddit how-to (Score:4, Informative)
Reddit has a text-based, list-oritented design the way we want it. It suffers from a lack of article summaries though.
How to cuztomize reddit to replace slashdot:
Step 1: Singup on reddit.
Step 2: Visit these subreddits and click the "subscribe" button in each one of them:
http://www.reddit.com/r/games [reddit.com]
http://www.reddit.com/r/gaming [reddit.com]
http://www.reddit.com/r/pcgami... [reddit.com]
http://www.reddit.com/r/privac... [reddit.com]
http://www.reddit.com/r/politi... [reddit.com]
http://www.reddit.com/r/openso... [reddit.com]
http://www.reddit.com/r/techno... [reddit.com]
http://www.reddit.com/r/law [reddit.com]
http://www.reddit.com/r/space [reddit.com]
http://www.reddit.com/r/scienc... [reddit.com]
http://www.reddit.com/r/govern... [reddit.com]
http://www.reddit.com/r/securi... [reddit.com]
http://www.reddit.com/r/biotec... [reddit.com]
http://www.reddit.com/r/censor... [reddit.com]
Step 3: Go to your user profile and look for your personalized RSS feed, (should be in https://ssl.reddit.com/prefs/f... [reddit.com]) it will give you a digest of the best stories accross all your subscriptions.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
fetta and olives
Better idea (Score:3)
Why not just take computers away from people? I mean if you're going to put such heavy restrictions in place why not just give someone pen and paper, it would be equally as efficient for the end user than having to call up IT every 5 minutes because you're not allowed to use the computer you're given.
Re:Better idea (Score:4, Interesting)
Because their productivity will higher with a computer, even a restricted one, than pen-and-paper. And if you are talking typical office workers, you would be surprised how few applications they actually need. Most of the office workers in the world spend 99% of their time in
Re: (Score:2)
it would be equally as efficient for the end user than having to call up IT every 5 minutes because you're not allowed to use the computer you're given.
Actually, you are permitted to use the computer for what it was assigned to you for. What you cannot do is run all sorts of executables which have not been approved, some of them being malware, stupid browser plugins and all kinds of crap.
The company I work for have implemented bit9 on the XP PCs we need to keep. Works just fine. The user can keep the software that cannot run on 7/8, and the computers are secure.
Re: (Score:3)
Seriously consider, how often do you need to run a NEW application? Every 5 minutes? Really? Do you think most organizations don't have a list of approved applications that have been vetted through a security process and are maintained and updated by IT?
Re: (Score:2)
HE doesn't need to write a law, an executive order will work just fine. While he's at it, why don't we try to get him to redefine the value of PI.
Re: (Score:2)
Can't the government mandate an IQ of 100 for everyone? Obama should write a law!
Why not an IQ of 180 for everyone?
old idea (Score:4, Insightful)
The idea is one of the oldest in IT security.
And it works really, really well.
And it is a PITA to administrate if you have a system that changes, as lots of systems do. For your regular service server, much less a desktop system, where new releases require new libraries, system updates are regular and new application required every now and then, it is almost impossible to actually do it.
On a locked-down system that needs to do one thing, but do that thing reliably and securely, it's a fantastic security measure that will eliminate about half of your security headaches right there.
It's the same idea as SELinux, just on a different level, and it shares many of the disadvantages, namely that it makes policy management into a full-time job.
We're adopting this at work... (Score:5, Insightful)
While I admit that as a programmer I will inevitably have a skewed point of view, I view it as ill-advised.
A computer is useful primarily because it is NOT a special purpose tool, but a general purpose one.
Whitelisting cripples your computer. If you can't run software without it being on a whitelist, you can't even write a shell script, or a VBA macro. Your computer stops being useful as a general purpose tool - only the software that has been approved remains useful.
Yes, I get that most users are numpties and probably do need to be kept from hurting themselves. But this kind of policy cuts down the tall poppies - the ones who actually can make their computer work for them, instead of just working at their computer, and removes the possibility that any more will arise - no-one will voluntarily seek the rights they need to approve of their own software, because they'll be singled out as potential hackers and troublemakers, and any data breaches that do occur will be attributed to them.
As applied within our organization, it's also soul-crushingly annoying to programmers. We'll have the rights to approve of any software we want to run, but we have to click through an approval dialog for each... new..... file... which of course, means that every time we rebuild our code we face a clickfest just to debug it, or run unit tests on it, etc.... most of us have shied away from being "upgraded" to Windows 7 because of this. Several of us just wish we could change to Linux, being Java programmers.
Indeed, many of our internal teams are also getting the self-approval rights, which just trains them to click "Approve" and you're all the way back to UAC again, no extra security, just extra hassle, reduced performance of the computer (which is now hashing every file you access on the drive to see if it's on the whitelist), and more money diverted into the coffers of the kind of company that sponsored this story in the first place.
Re: (Score:2)
This idea is for computers hosting credit card info, personal information, and other potential targets. A development environment may host interesting bits, but should never have these tempting bits on it.
Your implementation is everything whitelisting was never intended to be, and is unrelated to this story except tangentially as a cautionary tale of where to draw the line as an employee.
I don't see how whitelisting on a POS device will possibly work if it needs updates, delivered remotely, and whitelist up
Re: (Score:2)
The software running on the POS is completely known and controlled. In a big organisation there are lots of them, so you want to be able to update over the network. Updates are tested and bundled with any whitelist updates required. It's the perfect environment for whitelisting.
I'm curious why think it won't work on a POS with remote updates?
Re: (Score:2)
No, not as such (Score:2)
Whenever someone tells you that x solves all problems, it typically doesn't.
Whitelisting is currently practised on many mobile platforms. The only thing it does is force people to turn it off so they can actually use their devices, since the white list was done by people with differing opinions.
The more sensible solution is to do it like Debian does it. Have repositories making it easy to download software which matches certain criteria. Make it moderately hard to install new repositories and make it hard t
no, make officers responsible (Score:2)
It's not that those methods do not work, it is that the managers, executives, and directors are insulated from the damage. Make the CIO, CFO, and CEO cough up a few million per breach and they will be stopped. Close companies that are breached repeatedly, and make the directors reimburse the other stockholders out of their own pockets. I once worked at a company where the CEO mandated that he should be able to access confidential information at any location in the company, including offshore locations.
No. (Score:5, Insightful)
As usual with this type of headline, this is not a solution. In fact, it is not a solution at all. Just think of the most common way to compromise an executable: Buffer overflow. In that case, code is put somewhere in the memory area of the running process and then the process is coerced to execute it. This means the attack code runs in the context of the already running process afterwards and white-listing has zero impact. The only effect it has is that it gets harder for the attacker to start additional processes.
As for code-injection attacks, these are usually done with interpreted code, and white-listing does not even apply to that.
This is another technology that at best makes it harder for script-kiddies to break into a system, but has basically no impact on competent attackers.
Incidentally, techniques like SELinux allow far more than a simplistic "white-listing", and have done so for quite a while.
Re: (Score:2)
Just think of the most common way to compromise an executable: Buffer overflow.
You're asking the wrong question. The real question is what's the most common way to compromise a Windows COMPUTER. And that answer is to trick the user into running an untrusted piece of software, either from some web page (using some browser or extension bug, or convincing them to download it) or via an e-mail attachment.
Re: (Score:2)
No, I do not. There is no need to compromise the computer today, compromising an application is quite enough for most purposes these days. One of the downsides of putting a web-interface on everything.
Of course, ultra-low cost and competence attacks like the ones you describe are an issue, but only for organizations that really, really have no clue how to manage IT security. How such organizations would manage to administrate a "white-list" is unclear, likely they would just botch it as well.
Attempts to limit users typically backfire (Score:2)
The powers that be had the great idea of launching a policy of locking down PCs where I work. Which is ridiculous considering that we're a large research university and that, believe it or not, bureaucrats can't predict what researcher X in lab Y will want to put on their computer. Because users were unable to do anything on their own, the IT people were spending a lot of time going from one office to the other installing the software that people needed. It lasted for maybe a week, at which point some "help
Betteridge (Score:2)
No. Getting your mom to show you how to use the washing machine is the answer to dirty britches.
Data surface not application surface (Score:2)
A buffer overflow should not provide the keys to the city.
We need security orthogonal to the executing application surface.
Here's an idea, don't know if it will catch on but how about
encrypting the data in it, whitelisting the users / apps that can use it, thereby
reducing the
surface vulnerable to attack. It would require a sophisticated public key
infrastructure integrated
with all processes. Data objects could organize their fields into multiple segments that can be origressively unlocked.
Whitelisting has been in AV products for years (Score:2)
now. This is hardly a new concept or a new implementation.
Re: (Score:2)
Java (Score:2)
You still have to apply security updates to your installed software, specially with the lot of remote java vulnerabilities that had been disclosed in the last year (and that you should had been hurried to fix). And you must trust in who send you your update to whitelist it, because it could be someone playing MITM.
In the other hand, whitelisting an approved by some authority list of software means that the only software you will be able to install is the already backdoored by government ones, and perpetuat
My solution... (Score:2)
For routine operation of Internet-exposed systems, the / (which includes /usr and, usually, /usr/local) mounted read-only. The user-modifiable places (/home, /tmp, /var) are mounted with the noexec option.
Although a dedicated attacker might be able to succeed anyway (the same script can be run with a sh script instead of ./script), it throws sort of a "tangle-foot" over them — most of the hacks involve some compiled binaries. And, if the targeted filesystem is mounted read-only, even root can not mod
Re: (Score:2)
Back in the days when you could get regular CD-ROM drives I saw some setups that would put /usr, /usr/local and /opt on a CD-R and then boot of the CD. Since the drive couldn't write even trying to force a reboot to mount RW was pointless since the drive couldn't physically write to the drive.
The down side was it was a pain to operate like that since every patch required a new CD to be burned. Most gave up after too long once they realized how often they'd need to be patching thing.
Whitelist developers (Score:2)
*All* execution environments would need updates to support this so it won't be easy or quick. This is not a new idea, but having it populari
Re: (Score:2)
One big problem is that there are a tremendous amount of things that are executables. They're not just compiled executables or Javascript, but anything that might be run through an interpreter. We've had VBA viruses for a long time; should we have to register Word documents before passing them around? Suppose I send you a registered Perl interpreter and a malicious Perl program? There's malware in places most people never expected.
Another is simply setting up the registry. To do any good, there woul
Re: (Score:2)
Its gotten so bad with VBA that Word now makes you OK the execution environment when you open the document. Presumably classes of programs like the Perl interpreter would potentially be risky software that requires an OK to run at all. Same thing with shell scripts.
You would
"Whitelisted" binaries are the ones 0-days target. (Score:2)
Its a start. But not the end (Score:2)
Whitelisting works against a lot of things. It doesn't work against things that look enough like the program to sneak through or against hack systems that are outside your system probing for weaknesses.
Not only do you need a white listing system you need portions of the network that are hardcoded. Literally impossible to change because the coding is set in stone. You can have firmware in those systems but the firmware has to be READ ONLY. Possibly you could have a PHYSICAL switch that enabled read/write to
Everyone check this out (Score:2)
Shell script (Score:2)
A simple shell script runs only resident binaries, and it can already do a lot of harm. It can even escalate using local exploits.
How can whitelisting help here?
paid advertisement (Score:2)
Re: (Score:2)
Re: (Score:2)
Game consoles with their OS in ROM are commonly hacked.
Re: (Score:2)
The more flexible idea is to have the complete system you'd normally image simply be read only under normal circumstances and only writable permanently under special circumstances.
Somebody posted a link to "Deep Freeze" which does this, but there are probably a lot of ways to do this on a desktop PC or through virtual desktops.
Re: (Score:2)
I would like to see the filesystem of an OS partitioned into several levels: read-only disk drives where stuff never changes unless an update occurs (kernel, device drivers, configuration files), read-write disks where log files are update by the minute, hour or day, and local/user partition which is updated by the user.
Our university managed to do something similar by just having a ISO image that they overwrite the OS partition with, every time the PC was rebooted.
Re:Do it in ROM (Score:4, Insightful)
I would like to see the filesystem of an OS partitioned into several levels: read-only disk drives where stuff never changes unless an update occurs (kernel, device drivers, configuration files), read-write disks where log files are update by the minute, hour or day, and local/user partition which is updated by the user.
You mean the way that almost every installation guide for every Unix system ever recommends you do it, and almost nobody ever does?
Re:Do it in ROM (Score:5, Interesting)
I have Fedora 20 running on my PC's and I make sure I document my system layout, application requirements, customisations and of course my security files which I save. If on the off my system gets compromised I can easily 1) Do a system recovery or 2) Do a fresh install and update without compromising my
The fresh install takes me approximately 1 hour then 15 minutes for customisations then about 1 hour for the update although during this time I can fully use the machine. It must be noted that a recovery from backup would most likely take me about 20 minutes for 10 GB to be recovered (over 2000 packages), however if you have been compromised it is usually safer to do a fresh install.
It is possible to have a read-only system file-system for a Unix/Linux but this would be a stupid idea since you have
Re: (Score:2)
I would like to see the filesystem of an OS partitioned into several levels: read-only disk drives where stuff never changes unless an update occurs (kernel, device drivers, configuration files), read-write disks where log files are update by the minute, hour or day, and local/user partition which is updated by the user.
That's called every file system that exists on any computer today. If you want to see it, only log in as a user who doesn't have administrative rights.
Re: (Score:2)
Re:Do it in ROM (Score:4, Insightful)
Sadly, the worst problem for system security is humans. If you required the flipping of a physical switch then malware would simply tell the user to flip the switch to see your choice of free porn, music, movies, games, etc. and the human will flip the switch (or any other method that requires human action). Humans are stupid... sad but, true.
Re: (Score:3)
Which is why a good security model for a company will not give users the ability to flip that switch.
Which also means that if you don't want the IT department to spend 90% of their time fielding "I need to do X, can you enable it for me?" calls, you need to spend considerable time, effort, expert knowledge, user interviews and other things that equate to money, on creating a good policy.
And since most companies shun security expenses and would rather knowingly risk a $1 mio. break-in then spend $10k to prev
Re: (Score:2)
Sadly, the worst problem for system security is humans. If you required the flipping of a physical switch then malware would simply tell the user to flip the switch to see your choice of free porn, music, movies, games, etc.
Maybe so, but in an Enterprise environment, the "Toggle Switch" would be replaced with a KeySwitch, and the end user would not have the key to operate it.
Re: (Score:2)
Yeah, but they have voice recognition, so you only actually lose control of a starship capable of causing damage on a planetary scale if a homesick android turns hostile, which would never happen.
Well, that or if someone brings in a tape recorder, I guess.
Re: (Score:2)
Yeah, but they have voice recognition, so you only actually lose control of a starship capable of causing damage on a planetary scale if a homesick android turns hostile
Normally the computer can tell the difference between a human and an android or a recoring.
The android happened to be a computer genius though, and so he reprogrammed the voice recognition procedure
He could have defeated a physical switch too.
The fact is.... if your adversary is a technically sophisticated android with local access, t
Re: (Score:2)
Have the change require a hardware dongle. Lock the hardware dongle away where only the sysadmins have the (physical) keys. Problem solved.
Unless the sysadmin is in a different office, city, country or continent... Yes it is a real scenario. We do that in our company.
Or unless the sysadmin is responsible for a few thousand servers in a datacenter.
One problem solved, another unsolvable problem created.
But what about management? (Score:3)
Unfortunately, among the worst offenders for lax security practices you will often find company executives. The kind of person who makes it into such positions tends to have a certain arrogance, sociopathic tendencies, and a presumption that anything they screw up can be fixed by someone else later if necessary. If someone like that runs into an access control barrier on their computer, they call IT and say remove it. And if it doesn't get removed, they call the IT guy's supervisor and say remove it, and th
Re: (Score:2)
Mod this up. It is so damn true it should be written in stone somewhere and referenced on the test to any IT job.
I don't know how many times I have had to relax some restriction for a CEO or partner or owner because they were too special for it. Of course in the case of a partner or owner, it's their money and equipment so it's their choice all along, as for a CEO or CFO, it is sort of the same so I do/did whatever they wanted. I remember removing mail attachment size restrictions and even executable restri
Re: (Score:2)
A similar story that might amuse:
Once upon a time, I worked for a large organisation that sold software. There were some concerns about the security of our computer systems, and so mandatory annual briefings were introduced. These would remind everyone about best practices and provide hard data to demonstrate how serious the problems could be in terms of down time and $ cost. The briefings would be delivered to each employee at their desk, with the employee being required to click through the presentation s
Re: (Score:2)