In theory, consumers and businesses could punish Symantec for these
oversights by contracting with other security vendors. In practice, there’s
no guarantee that products from other vendors are well-secured, either
— and there is no clearway to determine how secure a given security
product actually is.
Too many firms take an “appliance” or “product” (aka ‘technology”) approach to security. There’s a saying that’s been attributed to many security specialists over the years but is quite true:
If you think technology can solve your security problems,
then you don’t understand the problems and you don’t
understand the technology.
Its still true today.
The ‘appliance’ attitude is often accompanied by either an unwillingness to do a proper risk analysis and apply organizational changes to make the InfoSec structure self-reliant and where necessary self healing,
that is institute a proper ISMS – which is often quite a lot of initial effort and then ongoing effort, which bring to mind another old quotation:
The biggest problem a security consultant has is getting
managers to perform regular risk assessments. They don’t
want to hear that it’s an on going process. The attitude
was “why bother if I can’t just check it once and be
done with it”.
Not just the risk analysis but the risk management, and treat both as an ongoing cycle. As I say, a proper ISMS is needed – of which ISO27001/2 is a good example – rather than an ‘appliance’ or piece of OTS software such as those mentioned in the article, which often run on a ‘fire and forget’ mode and are installed by a netadmin or hostadmin who has little to no real, meaningful security understanding.
Security is a process not a product
is quite true but understates the case. “Process” mean commitment from the Board and management, which in turn means there is budget to implement the possibly ongoing organizational changes to deal with
changes in the security profile to deal with the changes in technology and threats — as indeed the recent shifts to BYOD and ‘Cloud’ have shown — and the risk management processes, the people and the training.
Companies that are not willing to deal with this are going to suffer.
Breaches and hacks may have, up to now, been an embarrassment and inconvenience, perhaps the cost of sending out notification letters, a short blip in stock value. But consumer awareness is growing, and in
the e-commerce world consumers are coming to expect many basic quality and security baseline features. And that too is an evolving issue. sites like PayPal and eBay devote a lot of energy not simply to security but to the whole process of evolving security, being aware of evolving threats and methods and vulnerabilities.
But its also easy to do it all wrong, to go though the motions with no real results.
We can see that with the way the US Government is dealing with InfoSec and in doing so generating the artificial ‘skills gap’ of InfoSec specialists. What they are doing is demanding the low-level operatives, in effect ‘enhanced’ sysadmins and netadmins who are trained in using the appliances and configuring Windows devices and servers. This is ‘tactical work. What they are avoiding doing is the strategic work, addressing organizational and structural issues, doing proper risk analysis and management, the heavy ‘paperwork’ of implementing ISO27000 or ISO31000. One reason for this is that it is going to be disruptive, “drag them kicking and screaming out of the 19th century”.
We can point quite clearly to various US government departments since they are high profile, well publicized in the media and reports, and quite recidivist, but there are no shortage of other organizations, commercial, NGO and governmental, throughout the world that have implemented just enough “security to say “well that doesn’t apply to me”. All to often that ‘just enough’ is in the form of appliances and OTS software for otherwise poorly configured Windows systems, run by an under-staffed, under-trained (because its under-budgeted and managed by people who don’t understand Risk Management) people. And there’s a lot of “Denial” going on.
This is why I like dealing with first and second tier banks and the large insurance companies that have been around for a long time. They’ve been doing Risk Analysis and management in the meat-world for a long time and segueing that into Cyberspace is no big deal for them. Their main issue is that they have to be a bit un-conservative to deal with rapidly advancing technology.
But as the real world shows, even they aren’t completely immune.
So any organization saying “I’m all right” and “I don’t need to do these things” and “I’m OK with my appliances and OTS software” is deluding themselves.
Related articles across the web
The latest intelligence on Al-Qaeda, a high profile Child Protection
report and plans for policing the London 2012 Olympics; three very
different documents with two things in common: firstly, they all
contained highly confidential information and secondly, they were all
left on a train.
Or maybe “Strangers on a Train“
Our latest research reveals that two thirds of Europe’s office commuters
have no qualms about peering across to see what the person sitting next
to them is working on; and more than one in ten (14 per cent) has
spotted confidential or highly sensitive information.
Perhaps that’s cynical and pessimistic and a headline grabber, but then that’s what makes news.
What I’m afraid of is that things like this set a low threshold of expectation, that people will thing they don’t need to be better than the herd.
Based on the demonstrated persistence of their enemies, I have a lot of respect for what Israeli security achieves.
Back to Verb vs Noun.
His point about baggage claim is interesting. It strikes me that this is the kind of location serious terrorists, that is the ones who worked
in Europe through the last century, might attack: not just dramatic, but shows how ineffectual airport security really is. And what will the TSA do about such an attack? Inconvenience passengers further.
Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
Well, yes …. but.
“Once the hacker gained access to Honan’s iCloud account, he or she
was able to reset his password, before sending the confirmation email
to the trash. Since Honan’s Gmail is linked to his .mac email address,
the hacker was also able to reset his Gmail password by sending a
password recovery email to his .mac address.
Minutes later, the hacker used iCloud to wipe Honan’s iPhone, iPad
and Macbook Air remotely. Since the hacker had access to his email
accounts, it was effortless to access Honan’s other online accounts
such as Twitter.”
Every new technology has people, the pioneers, who buy into the vendors hype … and pay a price for that.
We should learn from them.
- Hard-Learned Lessons from the Honan Hack (lumension.com)
- 60-minute Security Makeover: Prevent Your Own ‘Epic Hack’ (pcworld.com)
- Former Gizmodo writer Mat Honan’s hacked iCloud password leads to nightmare (nextlevelofnews.com)
- Apple Flooded with iCloud Password Reset Requests Amid Tightened Account Security Controls (macrumors.com)
- How Secure Is the Cloud, Really? (technewsworld.com)
From the left hand doesn’t know what the right hands is doing department:
Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be “hard-pressed” to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.
Well, lets leave the vested interests of security sales aside for a moment.
I read recently an article about the “IT Doesn’t matter” thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don’t fully utilise their resources, don’t fully understand the capabilities of the technology they have, don’t follow good practices (never mind good security), this is all a moot point.
At one level there’s the old argument about disclosure of security holes, but this is also an example of ‘driving’ security improvement.
- How a trio of hackers brought Google’s reCAPTCHA to its knees (arstechnica.com)
- Google’s reCAPTCHA briefly cracked (h-online.com)
- How Hackers Nearly Took Down Google’s ReCaptcha System (gizmodo.com.au)
- How Hackers Listened Their Way Around Google’s Recaptcha (tech.slashdot.org)
- How Hackers Nearly Took Down Google’s reCaptcha System (gizmodo.co.uk)
Last month, this question came up in a discussion forum I’m involved with:
Another challenge to which i want to get an answer to is, do developers
always need Admin rights to perform their testing? Is there not a way to
give them privilege access and yet have them get their work done. I am
afraid that if Admin rights are given, they would download software’s at
the free will and introduce malicious code in the organization.
The short answer is “no”.
The long answer leads to “no” in a roundabout manner.
Unless your developers are developing admin software they should not need admin rights to test it.
This isn’t news. Signature-based (and hence subscription based and hence that whole business model) AV is a wrong headed approach. As Rob Rosenberger points out at Vmyths.Com, we are addicted to the update cycle model and its business premise is very like that of drug pushers.
What’s that you say? Other types of AV? Like what?
Well, you could have a front-end engine that checks all downloads and all email and all email attachments and all URL responses by emulating what would happen when they run on any PC or in any browser or any other piece of software such as any of the PDF readers you use, or any of the graphical display software you use or any of the word processors you use
or any of the spreadsheet programs you use or any music players you use … and so on.
Many people in the industry – myself included – have proposed an alternative whereby each machine has a unique cryptographic ID and the legally and properly installed libraries are all signed with that ID, and the program loader/kernel will only load and execute correctly signed code.
Yes, Microsoft tried something similar with ActiveX, but that was signed by the vendor – which can be a good thing, and used PKI, which can also be a good thing. But both can be a problem as well: go google for details. A local signature had advantages and its own problems.
The local signature makes things unique to each machine so there is no “master key” out there. If your private key is compromised then do what you’d do with PGP – cancel the old one, generate a new one and sign all your software with the new one.
No technical measure can overcome human frailty in this regard.
- Avira antivirus upgrade wreaks ‘catastrophic’ havoc on Windows PCs (techworld.com.au)
- How can We Detect Viruses Without Antivirus Software? Built In Antivirus in your Browser 🙂 (shanicomputers.wordpress.com)
- Intel and McAfee unveil plans for unified security future (go.theregister.com)
- John McAfee, antivirus pioneer, arrested by Belize police (networkworld.com)
- GlobalSign Develops Free Tool to Simplify Code Signing Process (prweb.com)
- A Modest Proposal: Please Don’t Learn to Code Because It Will Damage Your Tiny Brain (inventwithpython.com)
- Why Authenticity Is Not Security (leviathansecurity.com)
- Certs 4 Less Announces Support For Individual Code Signing Certificates (prweb.com)
- ‘Catastrophic’ Avira antivirus update bricks Windows PCs (go.theregister.com)
- Avira fixes antivirus update that crippled many PCs (neowin.net)
- Free Anti-Virus Software Fails To Charm Enterprises (informationweek.com)
- Backpack Algorithms And Public-Key Cryptography Made Easy (coding.smashingmagazine.com)
- Cryptography pioneer: We need good code (infoworld.com)
- Contrary to Popular Opinion, Encryption IS the Hard Part (blogs.gartner.com)
- Public Key Cryptography Explained (q-ontech.blogspot.com)
So do my cats. But so what?
Does this mean that DARPA/USGov will finance the supply of advanced biometrics with every PC from Microsoft or Apples and every Tablet and smartphone? Perhaps eyeball recognition like in “Minority Report“.
And I’m sure there are _other_ ways to hack that than the one mentioned in the movie.
- SSL governance and implementation across the Internet (net-security.org)
- Why change VMware default self-signed SSL certs? (longwhiteclouds.com)
- Biometric apps for Kinect: Microsoft wants to avoid creeping everybody out (geekwire.com)
So to have great (subjective) protection your layered protection and controls have to be “bubbled” as opposed to linear (to slow down or impede a direct attack).
I have doubts about “defence in depth” analogies with the military that many people in InfoSec use.
Read what they are really talking about in those military examples: its “ablation”: that means burning up resources, like land (the traditional defence the Russian Empire used) or manpower (the northern states used in the US civil war) and resources (the USA in WW2). They try to slow down a direct and linear attack, hopefully to a standstill.
As the Blitzkrieg showed in dealing with the Maginot Line, if you “go around it” the defence isn’t a lot of use.
Through the ages of war and politics and empire-hood and nation-hood and tribalism we’ve seen many threats and attacks and subversions used.
The reality is that many InfoSec defences are more like umbrellas, the assume that the attack in coming from a particular direction in a particular form. What’s needed is more like an all-enclosing “bubble” rather than something linear with the ‘defence in depth’ model. But that gets back to the problem of the perimeter.
Many wifi enabled devices are really “spies inside the defensive perimeter”.
There was a scare a while ago that various networking equipment was made by companies or fabricators in places that were or might be inimical or economic competitors and as such have subversive code hidden in them. No doubt this will come around again when journalists have nothing better to write about or the State Department need to wave a big stick and scare the public — its form of showing that “its doing something”.
But how can we tell? The reality is that “security specialists” are finding errors – never mind deliberately malicious code – in all manner of devices: pacemakers, insulin pumps, automobile throttle controllers. Will they find “errors” that allow subversion in mainstream IT deceives like home wifi routers (aka the next generation of spambots), home PC software (that’s a no-brainer isn’t it!) never mind commercial databases.
I dedicate this to the memory of Ken Thompson