Security Absurdity: A long-overdue wake up call in Security

Security Absurdity: A long-overdue wake up call in Security http://www.dslreports.com/forum/r16095517 en Thu, 03 Dec 2009 09:52:32 EDT Thu, 03 Dec 2009 09:52:32 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16127185 garywk : Any company that hosts data for people is responsible for keeping that data secure. It's the law that they must take reasonable precautions to protect that data. If they are hacked, and have not taken reasonable security precautions they can be held liable.

Why does this not apply to ISP's? They host very large networks. Why are they not held responsible to a certain degree for the security of that network? Other companys certainly are for their networks.

It's true that the ISP's situation is quite different, but the way they monitor traffic it wouldn't be that big of a step to monitor traffic to ports that are well-known as being used by trojans and other malware. There is no reason that they cannot inform their user's of this and require their users to have their computer cleaned up before they can access the internet again. Sure it would create some overhead for them, but at the same time it would decrease the traffic on their networks.

I know I have requested my ISP to inform users of their services that their computers were infected. Worms on those computers were constantly making connection attempts, and they refused to even contact the person although I gave them a full set of firewall logs showing the the time, date, source and destination ports. They could have cared less what has happening on their network. That's not reasonable care, by just about any definition. ]]> http://www.dslreports.com/forum/remark,16127185 Thu, 18 May 2006 23:33:51 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16122110 Blue2 : I don't know how ISPs in the US currently work, but having lived in several European cities, many European ISPs SELL virus and security protection as add-on services. Getting customers to shell out 5 €/month equals about $75/year in additional revenue per household. So perhaps it is more in their interest to allow a few things to propagate on their networks just long enough to sell solutions.]]> http://www.dslreports.com/forum/remark,16122110 Thu, 18 May 2006 11:48:44 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16117838 N O Y B : Who said anything about filtering or port blocking? I didn't. I happen to think there are better ways, that target removing the offender not filtering their traffic or blocking the ports they use on your connection so that you can't use them either. It takes some creativity and automation. The same things that enable the offenders, can also be used to defeat them. And since the ISPs control (or should control) the their networks they also have the upper hand if they would actually fight.

Web traffic legal, yes. DDoS's on the other hand are illegal.
Port scanning legal, maybe, maybe not, but none the less violation of most ISP's TOS and customer connections being used for such should be shutdown. Very easy to detect.
Sending email legal, yes. But not all SPAM is legal. But I'm not talking about filtering/blocking SPAM. Though a much better job of can be done. But requires a different approach than trying to determine which emails are spam.]]> http://www.dslreports.com/forum/remark,16117838 Wed, 17 May 2006 19:03:52 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16117185 ZOverLord : The Second you allow all parties involved where data packets flow to define limits and restrictions you end up with big problems.

If you had multiple auto-pilots guiding a plane:

1. From the original Airport

2. From any Air Traffic Control Tower in the entire flight path

3. The Destination Airport

4. The Plane itself

You would be lucky to land let alone fly the plane if none of the 4 could agree who has the final say at any point in time.

Minus the checking of malware in Email for email providers, I think any and all auto-pilots should reside in the plane ("Your System"). :p
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com]]> http://www.dslreports.com/forum/remark,16117185 Wed, 17 May 2006 17:40:37 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16117116 devicenull : The "roads" (connection) is perfectly safe. It's the destination (web site) that is unsafe. ISP's filtering inbound requests is a BAD idea. You will shortly see charges for opening ports needed by games/P2P if that happened. Despite numerous emails, phone calls, and support tickets, my ISP says they cannot remove the port 135 block. Even though I know exactly what the risks are, and have ensured it won't even be going to a windows machine (mwcollect). So I'm against any sort of filtering.

AFAIK:
Web traffic is not illegal. (There goes most DDoS's)
Port scanning is not illegal, it may be against the TOS
Sending email is not illegal. (There goes spam, unless you are going to filter every outgoing email.. a bad idea)

The only potentially illegal thing would be spreading viruses via exploits.]]> http://www.dslreports.com/forum/remark,16117116 Wed, 17 May 2006 17:29:38 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16116813 N O Y B : Road owners/builders have obligation to build and maintain roads that are safe to travel. So do network owners/builders if they are going to allow the public on them.

Never said ISPs obligation to check whether customer takes appropriate safety/security measures. I’m talking about the ISP shutting down known illegal activity.]]> http://www.dslreports.com/forum/remark,16116813 Wed, 17 May 2006 16:40:25 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16116772 HMS1 :

said by N O Y B

:

Seatbelts and clean air are good things too. But both had to be imposed on the automakers as well as the consumers. Would be great if the ISP would do it of their own accord. But it doesn't look like they will. Given that it will inevitably end up being imposed by legislation.

These cases are not analagous. In the first place, the ISP is like the road builder or maintainer, the car makers correspond to Microsoft, Apple, browser makers, etc..

But looking at the seat belt law, it has never been the car makers' obligation to check whether the buyers wear seat belts, or monitor how fast they drive, or whether they head for the car when intoxicated. What the seat belt law, and similar laws do, is only to require the vendors to provide the means for buyers to protect themselves, not to look for bad behavior. Similarly most products have to be safe when used as intended or as the seller could reasonably expect them to be used. Liability law has been stretched beyond these boundaries by zealous plaintiffs' lawyers, but it shouldn't be.

Likewise, I would say that it ought to be Microsoft's legal obligation to make the OS in such a way that it is secure when used in the normal or expected way. (I was hoping we'd get to this. This is one of the places where blame does belong, IMHO.) Windows is knowingly marketed to millions of people who know little about computers, and until recently it was in an unsafe condition out of the box.

The way these discussions usually go, someone makes the above observation, then someone else says "but you can do A, B and C and secure it, therefore it's not Microsoft's fault". Well, yes, but if Harry Homeowner doesn't know about A, B and C, then the question remains of how much each party should have to do.

To finish off (I hope) the other topic, though, it would be a very bad rule to say, the road-maintenance people could watch for bank robbers driving on the roads, or speeders, etc., therefore the solution to bad activity on the roads is for the pothole-fixers to take on these additional responsibilities. ]]> http://www.dslreports.com/forum/remark,16116772 Wed, 17 May 2006 16:34:15 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16116672 bcool :

said by HMS1

:

A computer licencing requirement is the sort of thing that appeals to people when they imagine it being administered in an idealized way - minimally restrictive, by competent bureaucrats, and only as needed for public protection.

In the real world it would quickly become a mighty engine of censorship, exploitation, special-interest protectionism, and political oppression.

* Criticize the government online? "Oops, we miscalculated your exam score! Your licence is no good." or some infraction of the myriad regulations is quickly found in something you do.

* Software vendor X gets a "sweetheart" deal with the regulators, then everyone has to buy, install and run X's product as a condition of being allowed online - "for public safety". And the legislature is not interested in any complaints about this product or the requirement of it, unless you can afford your own lobbyist.

* Do something online that regulators don't approve, you have to pay a fine. The list of fineable offenses may be somehow related to "safety" at first but soon expands without limit.

* Everything you do is monitored from inside your computer; encryption and foreign proxies are banned - otherwise unlicenced users could get behind the keyboard and the regulation could not be complete.

* All your data is sold to some murky private company that got a deal from the legislators - "to pay the costs of this essential protection system".

* Your computer is still hacked by some kiddie scripter because (a) you're no longer allowed to have control of it and therefore can't secure it (b) the vast regulatory apparatus doesn't actually work.

* Anyone who criticizes the scheme is denounced as a supporter of anarchy, hacking, viruses, child pornography, terrorism, etc..

Yikes! Not a bright prospect at all, huh? Oh well, it was a thought.
--
"in flagrante delicto"]]> http://www.dslreports.com/forum/remark,16116672 Wed, 17 May 2006 16:19:21 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16116562 N O Y B :

said by HMS1

:

Imposing on ISPs the obligation to detect and remove them is a bad thing.

Seatbelts and clean air are good things too. But both had to be imposed on the automakers as well as the consumers. Would be great if the ISP would do it of their own accord. But it doesn't look like they will. Given that it will inevitably end up being imposed by legislation.]]> http://www.dslreports.com/forum/remark,16116562 Wed, 17 May 2006 16:02:17 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16116533 HMS1 :

said by N O Y B

:

Detecting and shutting down bots trying to break into peoples computers/networks has negative consequences?

Shutting down known hosts of malware is a good thing. Imposing on ISPs the obligation to detect and remove them is a bad thing. The latter is what I referred to negative conseqences of.

said by N O Y B

:

By the way, in the last three days I have reported 14 bots (the highest few offenders each day) using Verizon DSL connections to Verizon Online and none of them have been seen again. I applaud Verizon for whatever action they may have taken to shutdown these bots.

That's a procedure I expressed approval of: affected parties make abuse reports, and then on the basis of specific reports, the ISP takes action. Compliments on getting a big ISP to act like that; often they are less helpful.

said by N O Y B

:

Detecting bots really is easy and disabling their connection really is easy too. In fact it can be automated with an extreme degree of accuracy.
Verizon, as well as Comcast and others could very easily automate this detection and connection shutdown of bots.

I'm not up to date on the specifics of law applicable to ISPs. But as a general principle of tort law, if some party has the benefit of a common-carrier-type of rule in the first place, but then starts routinely monitoring what its customers are up to, then it forfeits the benefit of the common carrier rule and *acquires* liability exposure that it didn't have. Making the monitoring a routine practice brings into play a "should have known" rule.

ISPs' lawyers (and lawyers of similar enterprises) therefore tell them to avoid getting into that kind of position, and rightly so. The common carrier situation is better for the vendor of a commodity service and better for society. The vendor's obligation is only to avoid causing problems by the way it runs the service itself (transporting packets, phone calls, rail passengers), not to assume responsibility for other parties' conduct using the service.

We really do need solutions to the problem of malware and othere network abuse, but putting ISPs on the spot is not it.]]> http://www.dslreports.com/forum/remark,16116533 Wed, 17 May 2006 15:56:38 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16116513 dave :

said by HMS1

:

So anyone who favors some solution other than ISP snooping is "in support of the apathetic status quo" and must be a bot operator or spammer?

It's a sign of the times.

"You're either with us or against us".]]> http://www.dslreports.com/forum/remark,16116513 Wed, 17 May 2006 15:54:45 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16116258 N O Y B : Detecting and shutting down bots trying to break into peoples computers/networks has negative consequences? Detecting bots really is easy and disabling their connection really is easy too. In fact it can be automated with an extreme degree of accuracy.

By the way, in the last three days I have reported 14 bots (the highest few offenders each day) using Verizon DSL connections to Verizon Online and none of them have been seen again. I applaud Verizon for whatever action they may have taken to shutdown these bots. Verizon, as well as Comcast and others could very easily automate this detection and connection shutdown of bots.]]> http://www.dslreports.com/forum/remark,16116258 Wed, 17 May 2006 15:20:04 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16116072 HMS1 : Common carrier status for ISPs is a good thing. It protects the end-to-end nature of the internet: the applications and intelligence are at the endpoint devices, not in the pipes between them. It also protects freedom of communication, the potential for technical progress ("innovation"), and competition.

The common carrier principle (to the extent it applies) means an ISP does not have to actively look into customer activities or traffic. Even awareness does not invoke liability unless something is specicically brought to their attention, or reporting it is specifically required by law. Otherwise the ISP will police things only as needed to keep the network running well.

And that's as it should be. The responsibility for policing illegal activity rightly belongs to the police. Or if someone is adversely affected by someone else's spamming, viruses, etc., the right solution is for the affected party to make an abuse report, not for the ISP to have to routinely look for bots or spammers.

The common carrier concept originated with railroads. They were a crucial part of the economy in the 19th century, like internet is now. They needed to be free from liabilty for passenger activities they were not aware of, and free from any obligation to investigate whether John Doe was going from A to B for a good or bad reason, or what he had in his bag, as long as it wasn't obviously harming anything.

This was good social policy then and it still is now. In addition to letting the carriers concentrate purely on carrying stuff, it freed passengers and shippers from oppressive and discriminatory regulation - charging competitors more, harrassing inconvenient people, that sort of thing. The non-common-carrier situation is what big telcos and cable companies are trying to bring back now with their opposition to "network neutrality" (though now they presumably want freedom to discriminate in traffic without the liability for illegal activity).

-----
On edit:

said by N O Y B

:

What I don’t understand is why there are so many in support of the apathetic status quo. Are that many of you actually bot operators and spammers?

So anyone who favors some solution other than ISP snooping is "in support of the apathetic status quo" and must be a bot operator or spammer?

Implying that some simple-minded policy with huge negative consequences is the only possible solution to some lesser problem, and that anyone who disagrees must be siding with the bad guys, is the level of reasoning demonstrated by certain disastrous politicians. We can do better here.]]> http://www.dslreports.com/forum/remark,16116072 Wed, 17 May 2006 14:50:00 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16115407 N O Y B :

said by Khaine

:

And what happens when a new bot comes out that the ISP doesn't scan for and a customer gets infected and sues the ISP for failure to do its job? You know someone would do it.

Currently ISP's are common carriers and don't have any liability for traffic that passes through their network. Buy forcing them to scan users or whatever you could change their legal status and their liability.

I don’t think you understand how to detect a bot. You don’t target each specific type. You target by activity. Ex: set up a firewall and start logging unsolicited traffic. Then shutdown the ones that are obviously bots.

They are liable if they know of illegal activity and do not take action stop it. You can not provide service to someone knowing they intend to using for conducting illegal activity and claim innocents. It would be like a gun shop selling a gun to a person all the will knowing they intend to us it to commit a crime (armed robbery, murder, etc).

There are certain illegal activities taking place on ISP networks by their very on customers and the ISP know it. And I know they know it because I know it too. In the case of bots it does not require scanning all traffic. Bot detection and shutdown is much simpler than that.

What I don’t understand is why there are so many in support of the apathetic status quo. Are that many of you actually bot operators and spammers?]]> http://www.dslreports.com/forum/remark,16115407 Wed, 17 May 2006 13:14:34 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16115196 HMS1 : A computer licencing requirement is the sort of thing that appeals to people when they imagine it being administered in an idealized way - minimally restrictive, by competent bureaucrats, and only as needed for public protection.

In the real world it would quickly become a mighty engine of censorship, exploitation, special-interest protectionism, and political oppression.

* Criticize the government online? "Oops, we miscalculated your exam score! Your licence is no good." or some infraction of the myriad regulations is quickly found in something you do.

* Software vendor X gets a "sweetheart" deal with the regulators, then everyone has to buy, install and run X's product as a condition of being allowed online - "for public safety". And the legislature is not interested in any complaints about this product or the requirement of it, unless you can afford your own lobbyist.

* Do something online that regulators don't approve, you have to pay a fine. The list of fineable offenses may be somehow related to "safety" at first but soon expands without limit.

* Everything you do is monitored from inside your computer; encryption and foreign proxies are banned - otherwise unlicenced users could get behind the keyboard and the regulation could not be complete.

* All your data is sold to some murky private company that got a deal from the legislators - "to pay the costs of this essential protection system".

* Your computer is still hacked by some kiddie scripter because (a) you're no longer allowed to have control of it and therefore can't secure it (b) the vast regulatory apparatus doesn't actually work.

* Anyone who criticizes the scheme is denounced as a supporter of anarchy, hacking, viruses, child pornography, terrorism, etc..]]> http://www.dslreports.com/forum/remark,16115196 Wed, 17 May 2006 12:43:01 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16113521 bcool :

said by devicenull

:

The answer to security is not software, nor is it hardware. It's education, plain and simple.

That's why I have always supported a licensing process by which one can earn the privilege of operating a computer. A comprehensive test would have to be taken and passed before a license could be issued.
--
"in flagrante delicto"]]> http://www.dslreports.com/forum/remark,16113521 Wed, 17 May 2006 05:46:47 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16113399 Khaine :

said by N O Y B

:

Apathy is right. Especially on the part of ISPs that could very easily automate such things as bot detection and automatically shutdown the connection. They could also automate detection and blocking of certain automated types of email address harvesting.

Even if you pull the logs from your firewall and send your ISP major offenders nothing is likely to be done. Shutting down the easy to detect high offending bots would go a long ways toward protecting the ignorant computer operator. At least maybe for more the 4 minutes. With all the bots hitting my firewall it’s easy to see how an unprotected computer could be taken control of in a matter of minutes.

There are some other things ISPs and corporations need to do as well. Like untying account number and/or login ID from publicly used things such as email address and web space URL, etc. And make all authentication via secure methods, even for SMTP/POP and NNTP, etc.

And what happens when a new bot comes out that the ISP doesn't scan for and a customer gets infected and sues the ISP for failure to do its job? You know someone would do it.

Currently ISP's are common carriers and don't have any liability for traffic that passes through their network. Buy forcing them to scan users or whatever you could change their legal status and their liability.]]> http://www.dslreports.com/forum/remark,16113399 Wed, 17 May 2006 03:52:29 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16113386 N O Y B : I didn’t say anything about network administrators. I said corporations.

I didn’t say ISP are the police. But neither am I, but I and they as well can be held accountable for negligence, i.e. knowingly permitting someone to use their resources (network) in pursuit of illegal activity.]]> http://www.dslreports.com/forum/remark,16113386 Wed, 17 May 2006 03:44:53 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16113369 N O Y B :

said by devicenull

:

You have to be very careful automatically shutting down clients. What if I want to run a Nessus or Nmap scan on a server I own? With any type of automated system, you run the risk of it flagging that and taking action.. Server could have many IP addresses with different services on each..

And why would it ever need to repeatedly pound on mine or anyone’s firewall with unsolicited traffic?]]> http://www.dslreports.com/forum/remark,16113369 Wed, 17 May 2006 03:33:28 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16113119 mysec :

said by HMS1

:

Well it's rather hyperbolic. As you can tell from the title.

And how. It's easy to write an article like this, and if the assumptions and conclusions are not challenged, they just spread more fear and misunderstanding.

From the article:

quote:
A recent survey of U.S. adults revealed that three times the number of respondents believed they were more likely to be victimized in an online attack than a physical crime...The average user's computer is absolutely crawling with spyware and popups. According to the National Cyber Security Alliance a staggering 91 percent in the study have spyware on their computers.

You can gawk at the statistics and shake your head and accept that this is the way it is. Or, you can realize that this doesn't have to be if people understood how to safely operate on the internet.

quote:
In a recent experiment, AvanteGarde deployed half a dozen systems in honeypot style, using default security settings... The average time until a successful compromise was just four minutes!...

This reminds me of the silly experiment a while back where a computer "out of the box" was infected almost instantly upon connecting to the internet. Certainly no one you know would use default security settings!

quote:
Yes, Zero-day exploits are now a reality. If you aren't scared yet about your online security, you should be.

If you are scared, you have no concept of security and how to protect your system.

quote:
Once a CD is placed in the computer, the software tool is run without your knowledge or consent.

This is so silly as to be laughable. Would anyone here admit that something could auto-run from a CD without your knowledge or consent?

____________________________________________________________

quote:
The simple truth is most people fail to adequatey secure thier enviroment because they have no plan to manage it long term, no technical security architccture, and no real concept of what constitutes a security program. This leads to lots of technology with no increase in security.

Well, that is a relevant statement.

said by devicenull

:

Lacking a perfect anti-everything tool (viruses, trojans, spyware, etc), the only acceptable response, in my opinion is user education....The answer to security is not software, nor is it hardware. It's education, plain and simple.

How true!

So, what are we doing about it? As I've said elsewhere, if each person on these forums (certainly a wealth of knowledge and experience!) would "adopt" a home user, think of how many more people would be *not* included in these ridiculous statistics. Over the years I've stressed teaching the basics of security to new users. Here are some thoughts, summarized from various notes I've made.

____________________________________________________________


                  Security:
 
      The condition or quality of being secure. Specifically:
 
      Freedom from apprehension, anxiety, or care;
 
      Confidence of power of safety;
 
      Hence, assurance; certainty.
 
                              - Webster

INTRODUCTION

Note, that nothing is said about the means of achieving this condition; to carry over into computing: no lists of products.

Security is a state of mind. One feels secure more or less according to the level of fear held in thought. This is not to imply one should be foolishly fearless, nor to ignore necessary steps to take in achieving this state of assurance, certainty, and confidence.

However, a perusal of the Security Forums reveals an almost mesmeric fixation on running lots of security products, impelled by a high state of fear as to the probability of compromise to the security of one's computer. This is fueled in no small way by the clever marketing techniques of the computer security industry, coupled with a lack of understanding on the part of many users as to what is needed for effective computer security.

Terminology such as virus, infection, injection - medical terms, not coincidentally, perhaps - are fear-provoking words that conjure up all sorts of dire consequences if one doesn't load the computer with a wide array of security products.

Neither I nor any of the users I've helped set up a system have ever gotten a virus. Yet, statistics show that millions of users have been infected by viruses/worms such as Sasser, Sober, and Bagle. How could this be, I wondered.

I joined several Security Forums last year to attempt to answer this question. When people posted for help in removing a virus, they usually did not relate the circumstances under which they got the virus, so I would send a private forum message asking for details. My messages were either ignored, or, sometimes I received a curt reply that it was none of my business. But sometimes details were revealed, and it became apparent that many people caught a virus by frequenting web sites such as those which offered pirated software; cracks/hacks for software; and pornography. I learned that those were the sites most likely to embed a virus in the web page.

"That which you sow, that shall you also reap."

Much expert help is provided on these forums, and it was fascinating to watch how the "cleaning up" process developed in these situations.

Other reasons given for becoming infected came from email, including opening attachments; or being tricked into going to a malicious web site. "Phishing" and "social engineering" are two current buzz words, succumbing to which indicates a total lack of judgment and basic knowledge about computing.

So, how do you help instill good judgment and basic knowledge?

GETTING STARTED: The First Computer

I ask the user to make a list of what s/he wants to use the computer for. No gaming? Then a super-duper video card is not necessary. I've seen people spend money needlessly for computing hardware that is rated far higher than their needs require. Purchasing a custom-built computer avoids this pitfall.

We go to a reputable local shop that I've dealt with for many years. I phone ahead of time and we sit down with the technician and plan out a system. The user gets to watch the computer being assembled. Not that he will necessarily repair or upgrade himself, but that he sees that a computer is not something so mysterious after all: "This is a hard drive. This is the CD/DVD drive." He sees the power supply and learns that a can of compressed air will help keep the fan clean. He can tell his friends that he knows what a processor and RAM look like. Understanding how a computer works and removing the fear and mystique about it is the first step in understanding computer security.

We purchase an external USB hard drive and discuss how this will be a backup for his internal hard drive.

Before installing any software, we learn what file extensions are. I've often found that even people who have used a computer for awhile don't know:

1) what .exe and .txt mean and what their function is

2) why, when they double-click on a .doc file, does MSWord know to start?

Understanding executables and file associations is basic to developing good computing habits, not the least of which is to recognize file types when downloading from the internet, and sending/receiving by email.

I have a list of both executable and non-executable file types that I give the user for reference. A good example of how this knowledge helps: Each day I receive MSWord documents as attachments from students. While the macro virus is not so prevelant anymore, I don't worry about it anyway. Two other users also work with Word Documents via email. So:

WordViewer

This free utility from Microsoft allows the user to open MSWord documents and does not permit any code to run. This is useful for those who receive Word documents from other people, either on CD or by email. If any macro virus is present, it cannot execute. We configure the MIME types in the email program to pass .doc files to MSWord Viewer rather than the MSWord program itself.

The user, now knowing how Windows has associated the .doc file type with MSWord, understands that we are bypassing that file association to force it to open in Word Viewer. We will configure other filetypes in a similar manner.

For .doc files received on disk, the user learns that instead of double-clicking on the file - which passes the command directly to the MSWord program - rather, to right-click on the file which opens the context menu where MSWord Viewer is listed.

Opening files using the context menu will be useful in other cases, as the user will learn later.

This is just one of several examples that will demonstrate to the user how to be aware of file extensions/associations while working at the computer.

I emphasize again how understanding file types and file associations is pivotal to developing basic security knowledge.

We continue in a like way with using the internet.

OTHER SOFTWARE

SECURITY PRODUCTS

I'm omitting these topics because everyone has her/his favorites. and it would invite useless, waste-of-space discussion. Basically, it doesn't really matter - there are many ways of securing a system and each person here is capable of advising someone on this, based on the user's needs and use of the computer.

CONCLUSION

Common Sense is the most important part of security. The lure of something-for-nothing, and the temptation for pirated/hacked software (Office for $50) carries its own consequences. Holding to a sense of ethics and fairness usually keeps one in good stead.

The "Confidence of power of safety" leading to "assurance; certainty," is achieved by establishing a state of mind that understands that it is fear that instills uncertainty and doubt in one's thinking. This is easily taught, but does require time and patience.

So, don't just read articles like " Security Absurdity" and say, "Ah ha - those dumb people out there." Do something about it. Help someone.

To quote HMS1

quote:
In fact if best practices are applied then it is really very hard to break into a system..."

and devicenull

again:

quote:
The answer to security is not software, nor is it hardware. It's education, plain and simple.

______________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier

]]> http://www.dslreports.com/forum/remark,16113119 Wed, 17 May 2006 01:47:25 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16113091 Blackbird : The security mess has three factors (other than the malware purveyors themselves):

Users - Education is critical for users to understand about malware and what they need to do to protect against its infecting and hijacking their computers. But it must result in meaningful action. Some folks simply don't care and won't put forth even the most minimal protective effort. The result is damage to other computers and users. But that implies legal liability for negligence or willfull action. What is currently missing are the legal avenues for redress, and that is largely the result of systematic inability to assuredly trace most malware infection vectors back to their specific source, once a damaging infection has been detected. However, in the world that is unfolding now, the time may not be far off when increased surveillance for various other reasons and improved network and security protocols begin to support tracking of specific infection vectors more closely in real time. Should that occur, the tort lawyers will follow close behind... and that will definitely get the attention of security-sloppy users. And when ISPs get dragged into such messy things, you can just bet that ISP penalties and/or sanctions against infected computers and their owners will have to follow shortly to protect hosting ISPs from being sued to death over what radiates from their systems.

ISPs - I think the three relevant questions are: do ISPs know if there's garbage being sent from their systems, ought they to track and trap bots radiating trash from their systems (including their clients), and whether it is reasonably possible for them to do so. There's a sense in which a lot of ISPs seem to practice a "don't ask, don't tell" policy about what passes out of their networks - but it's apparent that in many cases, even when notified they're hosting malware radiators, many ISPs still ignore the issue. Unfortunately at that point, such ISPs tread dangerously close to complicity - and culpability. We all have a responsibility, moral if not legal, to not be party to the spread of damaging malware - so ISPs ought to take whatever action that is able to be taken about what emanates from their networks. As regards the possibility of tracking down and eliminating infected radiators from their networks, I'll leave that to the more technically expert folks here - but it seems from various past posts that at least some ISPs are able to do this to some extent.

Hardware/OS suppliers - It's 2006. There can be no question that a security obligation exists with these providers, just as it exists for any other "product" maker when design deficiencies cause damage to users or innocent bystanders. What is still missing is a "landmark" lawsuit which successfully establishes a minimum "user expectation of product safety" that has been ignored by computer/software designers. And for that, all a sharp lawyer has to do is convince a jury of laymen...

The security changes/improvements that seem to be coming in the next year or two are arriving at a glacial pace and will be not nearly effective enough. So I'm personally convinced that eventually this is all going to end up in courts, and the threat of legal action and settlements will force a lot of the players to do things far more carefully or be forced out of the game financially.
--
If God wanted us to work with electrons, He'd make them big enough to see...]]> http://www.dslreports.com/forum/remark,16113091 Wed, 17 May 2006 01:37:38 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16111335 Kiwi :

said by N O Y B

:

Suppose a corporation knowingly permits the use of their resources for illegal activity and does nothing meaningfully significant to prevent such activity, should they not be held responsible for resulting damages?

ISPs currently do knowingly permit the use of their resources (their privately owned and operated network) for illegal activity and in many cases could put automated systems in place to detect, block and shutdown offending customer connections.

That's another and entirely separate issue, Network Administrators are accountable for knowing their job. Permissions and Admin rights are controlled, or should be. I think you are not entirely realistic in what an Admin does or is, in a corporate environment.

An ISP provides access to the net, they are not the Police.

Most users could do with censorship @ least @ some level, even on their own PC! Too many really stupid click happy idiots running around, infecting everyone with AIDS -Artificial & Indecent Decisions Serviced ;)

Some people should simply be licensed, before they are allowed to access the net. But it's still not an ISP issue.

.]]> http://www.dslreports.com/forum/remark,16111335 Tue, 16 May 2006 20:41:18 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16111256 Just Bob :

said by devicenull

:

[...]
The only way an ISP can provide a totally safe approach is with some sort of walled garden. Don't allow anyone onto the "public" internet, only trusted ISP sites. I somehow doubt this is a good idea.
[...]

Actually, that may not be a bad idea. New and inexperienced users could be confined to their ISP's portal. Only after demonstrating some level of competence would they be allowed out onto the internet. They could also have to demonstrate that their computer met some level of security.

Add egress filtering and many of the problems would be somewhat mitigated.
»www.sans.org/y2k/egress.htm]]> http://www.dslreports.com/forum/remark,16111256 Tue, 16 May 2006 20:30:29 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16111220 devicenull : You have to be very careful automatically shutting down clients. What if I want to run a Nessus or Nmap scan on a server I own? With any type of automated system, you run the risk of it flagging that and taking action.. Server could have many IP addresses with different services on each..]]> http://www.dslreports.com/forum/remark,16111220 Tue, 16 May 2006 20:25:31 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16111137 technoward : Semi-offtopic, but that screenshot is just hilarious and sadly not far off from reality. Given the number of desktop computers that come to me for repair, its absolutely shocking the things people are doing on computers are infested with remote access trojans, keyloggers, rootkits, spyware and more. Its really hard to say where the failures are originating exactly, its not all because of software exploits which are prevalent in certain software like Internet Explorer, inexperienced users are a large part of the problem.

I see computers repeatedly from family, friends and clients and they all do not heed my warnings to run as a limited user, use Firefox and keep up to date with security software. I think the problem is the users just don't really know any better and for whatever reason are unwilling to learn or change their habits.]]> http://www.dslreports.com/forum/remark,16111137 Tue, 16 May 2006 20:13:49 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16110918 N O Y B : Yes, one should practice defensive driving so to speak. But there is still the other half of the equation which is the ISP should not knowingly allow illegal use of their network.

Moving off the road thing.

Suppose a corporation knowingly permits the use of their resources for illegal activity and does nothing meaningfully significant to prevent such activity, should they not be held responsible for resulting damages?

ISPs currently do knowingly permit the use of their resources (their privately owned and operated network) for illegal activity and in many cases could put automated systems in place to detect, block and shutdown offending customer connections.]]> http://www.dslreports.com/forum/remark,16110918 Tue, 16 May 2006 19:41:49 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16110821 Kiwi :

said by N O Y B

:

Not all road are state owned. Applies to privately owned roads too.

ISPs are a private road to the public internet.

Because I feel like a 'Shindig' @ this moment, good comeback ;) But, one outa check the share quota's on their 'Private' ISP :) It still does not excuse people who don't attempt to practice safe hex. This World is far more advanced in this day & time, with respect to the internet and some prudent precautions are not necessary, but mandatory; or one will quickly lose their identity in a most literal sense.

Ownership is still the problem of the surfer, not the ISP!

Cheers]]> http://www.dslreports.com/forum/remark,16110821 Tue, 16 May 2006 19:29:45 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16110716 N O Y B : Not all road are state owned. Applies to privately owned roads too.

ISPs are a private road to the public internet.]]> http://www.dslreports.com/forum/remark,16110716 Tue, 16 May 2006 19:12:54 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16110666 Kiwi :

said by N O Y B

:

Owners of roads are also responsible for their condition is suitable for safe travel and if not setting up a road block to keep traffic out.

That's a State issue and tax paid! Nothing like the internet or an ISP. Guess we have to move off the road thing, before it gets crazy ;)

.]]> http://www.dslreports.com/forum/remark,16110666 Tue, 16 May 2006 19:06:25 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16110573 N O Y B : Owners of roads are also responsible for their condition is suitable for safe travel and if not setting up a road block to keep traffic out.

Just like in many places the home owner is responsible for the sidewalk in front of their house.]]> http://www.dslreports.com/forum/remark,16110573 Tue, 16 May 2006 18:50:37 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16110491 Kiwi : I don't know that an ISP should be held accountable for traffic, they are providing the 'Road' for access and that's pretty much it. Though some by request ;) go the extra yard when something 'Phissy' is going on and will log traffic activity at a customers request. But of course where would one draw the line...100 miles out...three hundred...Lol

I don't expect much and my ISP would not do much, if I didn't @ least make efforts to secure in a reasonable fashion.

Damn, I'm reminded how much I appreciate my ISP ;)

.]]> http://www.dslreports.com/forum/remark,16110491 Tue, 16 May 2006 18:38:45 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16110312 N O Y B : Traveling the highways is also inherently unsafe. That’s why auto manufactures are required to provide certain safety devices and meet legislated requirements. The legislation is a result of their own unwillingness to do it on their own. ISP are headed down the same road.]]> http://www.dslreports.com/forum/remark,16110312 Tue, 16 May 2006 18:06:14 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16110282 devicenull : The internet is inherently unsafe. For all I know, the next time I visit this site, it will have been hacked using a 0day exploit, have another 0day exploit to bypass my proxy software, and a 0day exploit to infect my computer via my browser. Not likely at all, but still a possibility.

The only way an ISP can provide a totally safe approach is with some sort of walled garden. Don't allow anyone onto the "public" internet, only trusted ISP sites. I somehow doubt this is a good idea.

The last thing I want to see is the ISP filtering sites. If they started doing this, I would drop them pretty quickly. Who says what they block? Their "unsafe" sites, or sites they don't like.]]> http://www.dslreports.com/forum/remark,16110282 Tue, 16 May 2006 18:01:17 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16110208 N O Y B : The operator of a product (automobile, etc) is responsible for its use and modifications they may make. Yes. But the manufacture or service provider is responsible for the product or service being provided. These are two different things.

If an company sells a product or service that is unsafe when used as intended, they should be held liable for damages suffered by their customers.

ISP are currently selling services that as provided are unsafe and most certainly does result in loss by their customers. It would be sort of like leaving seatbelt purchase and installation up to the customer.

If an ISP is unwilling to provide a safe and secure internet connection then they should get out or be put out of business.]]> http://www.dslreports.com/forum/remark,16110208 Tue, 16 May 2006 17:50:57 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16109830 devicenull : Who do you mean by provider? I hope you aren't saying that ISP's should notify their customers of any possible security issue with any software the customer is running. That would require the ISP to be provided with a list of every installed piece of software. I'm sure they would like that. (Additional fee for P2P anyone?)

Most non-free software I've seen has an option of registering with the developer, so they can notify you of product updates.. I'm not sure if any do this, because I don't see a need to register my software. Most of the people I know go on a "if it's not broke, don't fix it" theory.. Their software is working fine, why should they risk breaking it with updates? They don't understand the concept of things broken that they can't see.

dave, it works even better when you put it like that. When you get a computer from somewhere, it's not "spewing junk". Neither is your car. Modifying it further (removing exhaust system for a car, or installing various programs for a computer) is something that the manufacturer can't be responsible for.

I can't think of any way where ISPs or software developers can keep a computer clean. ISPs can, and should react if a subscribers computer is spewing junk. They can offer services/tools to users, such as antivirus, firewall, etc. Ultimately though, the decision to install these tools comes down to the user. The user then has the power to ignore the warnings these tools generate. The user also has the power to not install these tools, and not care that their computer is spewing junk.

Lacking a perfect anti-everything tool (viruses, trojans, spyware, etc), the only acceptable response, in my opinion is user education.]]> http://www.dslreports.com/forum/remark,16109830 Tue, 16 May 2006 17:00:32 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16109688 dave : Great. Car analogies! The most rhetorically sound basis for discussion of anything to do with computers!

View 'the net' as 'the atmosphere'.

It is very much Ford's responsibility to make sure that the device that they sell is not spewing junk into the common environment.]]> http://www.dslreports.com/forum/remark,16109688 Tue, 16 May 2006 16:39:17 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16109197 N O Y B : No Ford does not have to make sure you know how to drive. But they do have to provide a safe vehicle.

Manufactures and service providers are responsible for the safety of their products and services when used as intended. That goes for ISPs as well. If they knowingly permit bots to operate on their network, they can and should be held liable for damages to their customers.

No the biggest problem is not the USER. Just like with vehicles, it is unrealistic to expect the consumer to know all the possible problems with the product or service. It is the providers responsibility to notify their customer of such issues. The provider is supposedly after all the “expert” on their products and services.

By the way, it’s interesting you selected to make an analogy using Ford with the Explorer / Firestone tire issue so recent.]]> http://www.dslreports.com/forum/remark,16109197 Tue, 16 May 2006 15:33:58 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16109006 devicenull : Why is it suddenly the ISP's job to protect your computer? Does Ford have to ensure that you can drive well before getting in a car? I don't think so.

The biggest cause of problems is the USER. How do you think these bots are still running? The user doesn't have the knowledge to even recognize that they are there. Who's fault is this? Not the ISP's.. not the manufacturers.. not the software producers. Who needs to be responsible for fixing this problem? The user.

If the average computer user began to learn more about computers, a few things would happen: They would be able to recognize spam and phishing.. They would at least suspect that having multiple search bars is not normal. They would know that pop up ad's don't normally appear when they aren't doing anything on the internet. They might even be able to tell that their previously fast broadband connection has gotten noticeably slower.. and that the lights on their modem aren't supposed to be flashing when they aren't doing anything.

The answer to security is not software, nor is it hardware. It's education, plain and simple.]]> http://www.dslreports.com/forum/remark,16109006 Tue, 16 May 2006 15:04:17 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16105484 N O Y B : Apathy is right. Especially on the part of ISPs that could very easily automate such things as bot detection and automatically shutdown the connection. They could also automate detection and blocking of certain automated types of email address harvesting.

Even if you pull the logs from your firewall and send your ISP major offenders nothing is likely to be done. Shutting down the easy to detect high offending bots would go a long ways toward protecting the ignorant computer operator. At least maybe for more the 4 minutes. With all the bots hitting my firewall it’s easy to see how an unprotected computer could be taken control of in a matter of minutes.

There are some other things ISPs and corporations need to do as well. Like untying account number and/or login ID from publicly used things such as email address and web space URL, etc. And make all authentication via secure methods, even for SMTP/POP and NNTP, etc.]]> http://www.dslreports.com/forum/remark,16105484 Tue, 16 May 2006 00:53:25 EDT Re: Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16104745 HMS1 : Well it's rather hyperbolic. As you can tell from the title.

Failure compared with what? With some magic solution that would fix all the problems better than all the current efforts? Or maybe compared with a situation where the bad guys stop attacking because of their sudden good will?

One might as well say that we're doing very well. In fact if best practices are applied then it is really very hard to break into a system (please, no snarks about unplugging it). In the best case - good configuration, good policies, all patches, etc. - the attacker has to discover some previously unknown vulnerability, and the defender has to detect the intrusion and foil it. And at this level of practice, the forces are about evenly matched.

The real-life situation departs from this in (a) human error and (b) distortion of the OS market by a monopoly. The proximate causes of the plague of malware and compromises, apart from the exploiters themselves, are sysadmin errors in organizations, and home-user ignorance and apathy. The main underlying cause is the OS market being dominated by a buggy product as a result of urestrained anti-competitive business practices.

Calling this situation a "failure of information security" implies some sort of technical or intrinsic failure, when in reality the ultimate problems are mainly non-technical.]]> http://www.dslreports.com/forum/remark,16104745 Mon, 15 May 2006 22:46:42 EDT Security Absurdity: A long-overdue wake up call http://www.dslreports.com/forum/remark,16095517 SpannerITWks : Nice write up on the state of things -

Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security.

A long-overdue wake up call for the information security community.

»www.securityabsurdity.com/failure.php

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,16095517 Sun, 14 May 2006 15:20:28 EDT