dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4545
share rss forum feed


Metatron2008
Premium
join:2008-09-02
united state
reply to skeechan

Re: [rant] Dont they get it - its not just the hardware

So what exactly is your security credentials skeechan? Any experience with software?

While making software, sometimes yes, you can miss bugs, but having the ability to add things is always the biggest issue.

Have any experience with IT? Because not only did those guys at pwn 2 own hack using social engineering (Exploits were mainly found by adding such things as java and flash), but doing a quick search online:

»blogs.avg.com/consumer/social-en···nsumers/
»www.technibble.com/the-social-en···ecurity/

quote:
While these tools are necessary, there is one element that they still can’t protect – the human element. A solid fortress of hardware protection, updated anti-virus, and long cryptic passwords won’t do any good if you simply give the bad guys (or girls) the information they are looking for.
Social engineering is one the biggest threats (if not the biggest threat) to computer security
»www.computerworlduk.com/in-depth···-threat/

»www.computerworld.com.au/article···_threat/

quote:
Social engineering remains biggest cyber threat
99 per cent of cases could be avoided with basic use of cyber security best practice, according to the AFP
So again, what are your security credentials skeechan? or work in software, that you would deny what is a known fact in the security field?


Metatron2008
Premium
join:2008-09-02
united state

1 recommendation

Here's the simple fact about security:

Sometimes (But rarely) actual exploits happen from the OS itself. Not exploits from 3rd party software, but exploits from programs in the OS.

The problem is, that's actually very rare. If you surf the web as a non elevated user and not admin, don't use flash or java, and don't download stuff, you are pretty much safe.

The problem is, people will check their email, and find that people want them to download things because they've 'won a million dollars', or they will enlarge their penis...

Or they see a game online, or are illegally downloading software (And somebody added something to it), etc etc etc.



Uncle Paul

join:2003-02-04
USA
kudos:1

1 recommendation

reply to scross

said by scross:

Zero-day exploits may very well exist for every consumer-grade OS, but not many exist (if any at all, or for very long at all, generally) for enterprise-grade operating systems. (That's an old-school "alpha" term, BTW, which you may not understand. Many consumer-grade systems aspire to be - or even claim to be - enterprise-grade, too, but they rarely make the cut.)

Get over the attempted elitism, no one's buying. All of today's major OSs are enterprise grade. You may have to do some configuration based on the role, but they are all capable of being deployed in the enterprise.

said by scross:

And I stand by my market share statement. There were old-school systems out there that had plenty of market share well before Microsoft became the big dog, and they never suffered from the numbers and kinds of exploits that hit Microsoft from the very beginning - mostly because they actually cared about integrity and security (they had to; it was a requirement for them to even get in the front door) while Microsoft didn't want to know and didn't care (plus they came in through the back door, at least at first). Any concerns that Microsoft has for this now came rather late in the game.

I don't believe this is correct. Based on your comments, I'm going to assume you don't move much in pen testing/hacking kinds of circles. The cost of an exploit is based on several factors, but the two largest drivers (aside from age of the exploit and who you are) is the ease of deployment and target density (aka market share). You don't get as much for a SUSE Linux exploit that requires the user to execute a java applet than the same exploit on Windows 7. And, a Windows 7 exploit is worth more than a Windows ME exploit. The reason why no one does exploits for DEC Alphas isn't because the OS is so secure, but because it's not worth any money. If I pay you $20k for the exploit, I need to be able to deploy it, get marketable information from enough targets to sell before the exploit is told to the vendor and patched. It's all about the money.

said by scross:

One of the benefits of being an old fart vs. a young turk is that we generally have a wide range of experience and the benefit of historical perspective, which the young folks lack. For example, it just floors me that kids today equate "computer" with "PC", because they don't have an effing clue that any other computer type exists or has ever existed, or that for every PC out there there are easily ten times as many non-PC systems that they interact with on a daily basis, only these do their work quietly and invisibly, for the most part. But being in the business as long as I have means that I've worked on a lot of stuff - stuff that might make a young turk literally run away in fear and loathing (no joke, because I've seen this very thing happen, and it's a good way of separating the men from the boys).

I'm not quite sure if you're saying I'm a 'young turk' or just making a statement. I will say that you have me by a couple of years, but not really enough to make that much of a difference. When people think about security they more than often get really lost in the weeds and forget what security really is all about. Lets get out of the weeds for a moment and take a step back. Security is about managing risk. The most secure system is the one locked in a room without access and is powered off. Every step away from that is about managing the risk to gain in efficiencies. You can easily say that years ago everything ran on an IBM/VAX/WANG mainframe and was really secure. But truthfully it's just a straw man as the computing environment then isn't anything like it is now. In a way it's like saying a horse drawn carriage is more secure than a Ford Focus. One is pretty much isn't relevant now for more than a curiosity or in very specialized places. And, you simply can't use the same measure between the two.

Part of being in this industry means moving and changing with the environment. Having a historical perspective is a good, but I personally don't believe it's as valuable as you believe it to be. It's like me knowing how to program in Fortran. In today's world, it really doesn't matter unless I'm evaluating an application written in Fortran. The further back you go, the less relevant specific information is, and trending becomes more useful. We can go back a mere 15 years ago and look at the difference in centralized computing theory and security practices. Jump to today and we see what was a hard barrier between internal and external boundaries fade away. The effect of cloud based computing and SAS being adopted by business to handle core functions. Less internal IT staff and more vendors. The explosion of the internet with all the good and bad it's brought. Mobile systems in laptops, cell phones, and tablets. Wireless and remote access protections. Decisions around BYOD and security for managing data within those systems. The challenge of authentication and rights management across all of these federated systems. Support for thousand and thousands of different hardware pieces.

Personally I value honest objectivity in my employees over technology partisans. That objectivity is based on today's solutions, to meet today's challenges, across the enterprise with an eye on the market to see where vendors are positioning themselves for tomorrow's challenges.


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS
reply to Metatron2008

Again, we're talking about EXPLOITS.

An exploit is a vulnerability IN the system that causes errant or unpredicted behavior IN the system that allows a user to bypass security or privilege level.

You can be a Crayon eater and see that a stupid user installing software of their own effort is not an exploit. Nor is Java an OS exploit as it doesn't ship with either OS X or Windows. Hell, if we're going to install Java, why not just install the trojan and call the system 'hacked by exploit'? There is no difference.

The "human element" is not an exploit, it's an attack vector. The OS is operating AS DESIGNED in the situations you are describing.

For the final time, social engineering is not an exploit, it's an attack vector, just like actual OS exploits are attack vectors, vulnerabilities in Java are used as attack vectors.

In simpler terms, not all attack vectors are exploits but all exploits are attack vectors.



Metatron2008
Premium
join:2008-09-02
united state

Well fine. Call it what you want, that doesn't change the fact that social engineering is the biggest threat to online security today. Most OS's have very few (noticable) flaws when you get just the OS by itself.

Sure, no programmer is perfect, and if you paid enough money, somebody could find a flaw. Hell, you get some of the brightest american and jewish minds together and you can come up with stuxnet...

But it's simply easier to have an idiot install something.



skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS

OH yeah, no doubt. But that wasn't the point being made. A previous poster was basically blaming the OS for social engineering problems.

When talking about operating system vulnerabilities, which was what was being discussed, social engineering and 3rd party software is irrelevant...they aren't part of the operating system.

Microsoft isn't responsible for the swiss cheese Adobe and Oracle put out there. Apple isn't responsible for a user that downloads something, turns off gatekeeper, runs an installer and provides admin credentials. In these cases, Windows and OS X are running as designed. It's not Microsoft's fault someone CHOOSES to install software containing malware. That isn't an exploit. There is nothing to 'fix'.

You can't patch stupid. You can try with Gatekeeper and UAC, but stupidity is a very resilient condition.


scross

join:2002-09-13
Cordova, TN
reply to Uncle Paul

I note that you use the word "vendor(s)" three times in your post. That's very telling.


scross

join:2002-09-13
Cordova, TN
reply to Metatron2008

Concerning your "Pwn2Own" post, I've read many of these same things over the years so I pretty much know what the situation is. But I've always chuckled a bit over the results, because I tend to think of it more as "Of course they are going to attack the Mac first and hardest, because that's a prize actually worth winning!" (it has decent resale value, in any case), while the other prizes not so much.

But thanks for reminding me that Android has held up so well here, since these days I tend to think of it more as the future direction of computing. So that gives me warm fuzzies inside.



Uncle Paul

join:2003-02-04
USA
kudos:1
reply to scross

said by scross:

I note that you use the word "vendor(s)" three times in your post. That's very telling.

You might be surprised to note I've worked within the Federal space (DOE and DOD), the consulting space (Deloitte), and currently work with a state medical university and hospital (would like to be the place I retire from). I say vendor because there has been over the last 10 years a large shift away from internal application to COTS and outsourced IT functions. Within the medical IT field you'll find all kinds of vendors that hold contracts for medical devices that ride your network.

Move away from just being the guy that maintains the machine and start looking at your IT infrastructure as a cost to deliver the service required to drive your business.