SpannerITWks
Premium
join:2005-04-22
| Security Absurdity: A long-overdue wake up call
Nice write up on the state of things -
Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security.
A long-overdue wake up call for the information security community.
»www.securityabsurdity.com/failure.php
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
HMS1
join:2006-01-14
Austin, TX
| Well it's rather hyperbolic. As you can tell from the title.
Failure compared with what? With some magic solution that would fix all the problems better than all the current efforts? Or maybe compared with a situation where the bad guys stop attacking because of their sudden good will?
One might as well say that we're doing very well. In fact if best practices are applied then it is really very hard to break into a system (please, no snarks about unplugging it). In the best case - good configuration, good policies, all patches, etc. - the attacker has to discover some previously unknown vulnerability, and the defender has to detect the intrusion and foil it. And at this level of practice, the forces are about evenly matched.
The real-life situation departs from this in (a) human error and (b) distortion of the OS market by a monopoly. The proximate causes of the plague of malware and compromises, apart from the exploiters themselves, are sysadmin errors in organizations, and home-user ignorance and apathy. The main underlying cause is the OS market being dominated by a buggy product as a result of urestrained anti-competitive business practices.
Calling this situation a "failure of information security" implies some sort of technical or intrinsic failure, when in reality the ultimate problems are mainly non-technical. |
|
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR
 ·Verizon FIOS
 ·Comcast
| Apathy is right. Especially on the part of ISPs that could very easily automate such things as bot detection and automatically shutdown the connection. They could also automate detection and blocking of certain automated types of email address harvesting.
Even if you pull the logs from your firewall and send your ISP major offenders nothing is likely to be done. Shutting down the easy to detect high offending bots would go a long ways toward protecting the ignorant computer operator. At least maybe for more the 4 minutes. With all the bots hitting my firewall it’s easy to see how an unprotected computer could be taken control of in a matter of minutes.
There are some other things ISPs and corporations need to do as well. Like untying account number and/or login ID from publicly used things such as email address and web space URL, etc. And make all authentication via secure methods, even for SMTP/POP and NNTP, etc. |
|
devicenull
Premium
join:2002-12-01
Shelton, CT
| reply to SpannerITWks
Why is it suddenly the ISP's job to protect your computer? Does Ford have to ensure that you can drive well before getting in a car? I don't think so.
The biggest cause of problems is the USER. How do you think these bots are still running? The user doesn't have the knowledge to even recognize that they are there. Who's fault is this? Not the ISP's.. not the manufacturers.. not the software producers. Who needs to be responsible for fixing this problem? The user.
If the average computer user began to learn more about computers, a few things would happen: They would be able to recognize spam and phishing.. They would at least suspect that having multiple search bars is not normal. They would know that pop up ad's don't normally appear when they aren't doing anything on the internet. They might even be able to tell that their previously fast broadband connection has gotten noticeably slower.. and that the lights on their modem aren't supposed to be flashing when they aren't doing anything.
The answer to security is not software, nor is it hardware. It's education, plain and simple. |
|
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR
·Verizon FIOS
·Comcast
edit:
May 16th, @03:40PM
| No Ford does not have to make sure you know how to drive. But they do have to provide a safe vehicle.
Manufactures and service providers are responsible for the safety of their products and services when used as intended. That goes for ISPs as well. If they knowingly permit bots to operate on their network, they can and should be held liable for damages to their customers.
No the biggest problem is not the USER. Just like with vehicles, it is unrealistic to expect the consumer to know all the possible problems with the product or service. It is the providers responsibility to notify their customer of such issues. The provider is supposedly after all the “expert” on their products and services.
By the way, it’s interesting you selected to make an analogy using Ford with the Explorer / Firestone tire issue so recent. |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
| reply to SpannerITWks
Great. Car analogies! The most rhetorically sound basis for discussion of anything to do with computers!
View 'the net' as 'the atmosphere'.
It is very much Ford's responsibility to make sure that the device that they sell is not spewing junk into the common environment. |
|
devicenull
Premium
join:2002-12-01
Shelton, CT
| reply to SpannerITWks
Who do you mean by provider? I hope you aren't saying that ISP's should notify their customers of any possible security issue with any software the customer is running. That would require the ISP to be provided with a list of every installed piece of software. I'm sure they would like that. (Additional fee for P2P anyone?)
Most non-free software I've seen has an option of registering with the developer, so they can notify you of product updates.. I'm not sure if any do this, because I don't see a need to register my software. Most of the people I know go on a "if it's not broke, don't fix it" theory.. Their software is working fine, why should they risk breaking it with updates? They don't understand the concept of things broken that they can't see.
dave, it works even better when you put it like that. When you get a computer from somewhere, it's not "spewing junk". Neither is your car. Modifying it further (removing exhaust system for a car, or installing various programs for a computer) is something that the manufacturer can't be responsible for.
I can't think of any way where ISPs or software developers can keep a computer clean. ISPs can, and should react if a subscribers computer is spewing junk. They can offer services/tools to users, such as antivirus, firewall, etc. Ultimately though, the decision to install these tools comes down to the user. The user then has the power to ignore the warnings these tools generate. The user also has the power to not install these tools, and not care that their computer is spewing junk.
Lacking a perfect anti-everything tool (viruses, trojans, spyware, etc), the only acceptable response, in my opinion is user education. |
|
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR
·Verizon FIOS
·Comcast
edit:
May 16th, @05:52PM
| The operator of a product (automobile, etc) is responsible for its use and modifications they may make. Yes. But the manufacture or service provider is responsible for the product or service being provided. These are two different things.
If an company sells a product or service that is unsafe when used as intended, they should be held liable for damages suffered by their customers.
ISP are currently selling services that as provided are unsafe and most certainly does result in loss by their customers. It would be sort of like leaving seatbelt purchase and installation up to the customer.
If an ISP is unwilling to provide a safe and secure internet connection then they should get out or be put out of business. |
|
devicenull
Premium
join:2002-12-01
Shelton, CT
| The internet is inherently unsafe. For all I know, the next time I visit this site, it will have been hacked using a 0day exploit, have another 0day exploit to bypass my proxy software, and a 0day exploit to infect my computer via my browser. Not likely at all, but still a possibility.
The only way an ISP can provide a totally safe approach is with some sort of walled garden. Don't allow anyone onto the "public" internet, only trusted ISP sites. I somehow doubt this is a good idea.
The last thing I want to see is the ISP filtering sites. If they started doing this, I would drop them pretty quickly. Who says what they block? Their "unsafe" sites, or sites they don't like. |
|
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR
·Verizon FIOS
·Comcast
edit:
May 16th, @06:07PM
| Traveling the highways is also inherently unsafe. That’s why auto manufactures are required to provide certain safety devices and meet legislated requirements. The legislation is a result of their own unwillingness to do it on their own. ISP are headed down the same road. |
|
Kiwi
Premium
join:2003-05-26
USA
·Aristotle Internet
| reply to SpannerITWks
I don't know that an ISP should be held accountable for traffic, they are providing the 'Road' for access and that's pretty much it. Though some by request  go the extra yard when something 'Phissy' is going on and will log traffic activity at a customers request. But of course where would one draw the line...100 miles out...three hundred...Lol
I don't expect much and my ISP would not do much, if I didn't @ least make efforts to secure in a reasonable fashion.
Damn, I'm reminded how much I appreciate my ISP
. |
|
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR | Owners of roads are also responsible for their condition is suitable for safe travel and if not setting up a road block to keep traffic out.
Just like in many places the home owner is responsible for the sidewalk in front of their house. |
|
Kiwi
Premium
join:2003-05-26
USA
·Aristotle Internet
| said by N O Y B  :Owners of roads are also responsible for their condition is suitable for safe travel and if not setting up a road block to keep traffic out. That's a State issue and tax paid! Nothing like the internet or an ISP. Guess we have to move off the road thing, before it gets crazy
. |
|
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR
edit:
May 16th, @07:18PM
| Not all road are state owned. Applies to privately owned roads too.
ISPs are a private road to the public internet. |
|
Kiwi
Premium
join:2003-05-26
USA
·Aristotle Internet
| said by N O Y B :Not all road are state owned. Applies to privately owned roads too. ISPs are a private road to the public internet. Because I feel like a 'Shindig' @ this moment, good comeback But, one outa check the share quota's on their 'Private' ISP  It still does not excuse people who don't attempt to practice safe hex. This World is far more advanced in this day & time, with respect to the internet and some prudent precautions are not necessary, but mandatory; or one will quickly lose their identity in a most literal sense.
Ownership is still the problem of the surfer, not the ISP!
Cheers |
|
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR
·Verizon FIOS
·Comcast
| Yes, one should practice defensive driving so to speak. But there is still the other half of the equation which is the ISP should not knowingly allow illegal use of their network.
Moving off the road thing.
Suppose a corporation knowingly permits the use of their resources for illegal activity and does nothing meaningfully significant to prevent such activity, should they not be held responsible for resulting damages?
ISPs currently do knowingly permit the use of their resources (their privately owned and operated network) for illegal activity and in many cases could put automated systems in place to detect, block and shutdown offending customer connections. |
|
technoward
Premium
join:2006-05-16
Canada
| reply to SpannerITWks
Semi-offtopic, but that screenshot is just hilarious and sadly not far off from reality. Given the number of desktop computers that come to me for repair, its absolutely shocking the things people are doing on computers are infested with remote access trojans, keyloggers, rootkits, spyware and more. Its really hard to say where the failures are originating exactly, its not all because of software exploits which are prevalent in certain software like Internet Explorer, inexperienced users are a large part of the problem.
I see computers repeatedly from family, friends and clients and they all do not heed my warnings to run as a limited user, use Firefox and keep up to date with security software. I think the problem is the users just don't really know any better and for whatever reason are unwilling to learn or change their habits. |
|
devicenull
Premium
join:2002-12-01
Shelton, CT
| reply to N O Y B
You have to be very careful automatically shutting down clients. What if I want to run a Nessus or Nmap scan on a server I own? With any type of automated system, you run the risk of it flagging that and taking action.. Server could have many IP addresses with different services on each.. |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL
| reply to devicenull
said by devicenull :[...] The only way an ISP can provide a totally safe approach is with some sort of walled garden. Don't allow anyone onto the "public" internet, only trusted ISP sites. I somehow doubt this is a good idea. [...] Actually, that may not be a bad idea. New and inexperienced users could be confined to their ISP's portal. Only after demonstrating some level of competence would they be allowed out onto the internet. They could also have to demonstrate that their computer met some level of security.
Add egress filtering and many of the problems would be somewhat mitigated.
»www.sans.org/y2k/egress.htm |
|
Kiwi
Premium
join:2003-05-26
USA
·Aristotle Internet
| reply to N O Y B
said by N O Y B :Suppose a corporation knowingly permits the use of their resources for illegal activity and does nothing meaningfully significant to prevent such activity, should they not be held responsible for resulting damages? ISPs currently do knowingly permit the use of their resources (their privately owned and operated network) for illegal activity and in many cases could put automated systems in place to detect, block and shutdown offending customer connections. That's another and entirely separate issue, Network Administrators are accountable for knowing their job. Permissions and Admin rights are controlled, or should be. I think you are not entirely realistic in what an Admin does or is, in a corporate environment.
An ISP provides access to the net, they are not the Police.
Most users could do with censorship @ least @ some level, even on their own PC! Too many really stupid click happy idiots running around, infecting everyone with AIDS -Artificial & Indecent Decisions Serviced
Some people should simply be licensed, before they are allowed to access the net. But it's still not an ISP issue.
. |
|
