Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Industry Faces Attacks It Can't Stop

kdawson posted more than 4 years ago | from the crying-out-for-paradigm-shift dept.

Security 305

itwbennett writes "The takedown of the Mariposa botnet and so-called advanced persistent threat attacks, such as the one that compromised Google systems in early December, were hot topics at the RSA conference last week. What both Mariposa and the Google attacks illustrate, and what went largely unsaid at RSA, was that the security industry has failed to protect paying customers from some of today's most pernicious threats, writes Robert McMillan. Traditional security products are simply not much help, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. 'All of the victims we've worked with had perfectly installed antivirus,' he said. 'They all had intrusion detection systems and several had Web proxies scan content.'"

cancel ×

305 comments

First (-1, Troll)

Ethanol-fueled (1125189) | more than 4 years ago | (#31454248)

'All of the victims we've worked with had perfectly installed antivirus,' he said.

Perfectly perfect installs of antivirus? As in, perfect enough to be NSA backdoors? Other articles mentioned that the exploits were there because of NSA mandates for data access that we can safely assume to include internet-facing Windows computers. If that's true, then the NSA are a helluva lot more stupid(or lazy) than they claim to be.

'They all had intrusion detection systems and several had Web proxies scan content.'"

You can't hack us, we're hiding behind seven proxies! What's this? Oh, nevermind, ignore it. It's just the NSA snooping around our systems again. Warrants? Nah, we know they're looking for bad guys. See, they're looking up data on Chinese people! They're probably going after cyber-warriors! Ooooh, how exciting!

Re:First (2, Insightful)

0racle (667029) | more than 4 years ago | (#31454302)

Other articles mentioned that the exploits were there because of NSA mandates for data access

[citation needed]

Oh and conspiracy theories are not adequate citations. You could at least try to not sound like an idiot.

Re:First (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31454500)

You don't know that The Associated Press is a gigantic propaganda machine. Do you?

Re:First (3, Funny)

WrongSizeGlass (838941) | more than 4 years ago | (#31454630)

You could at least try to not sound like an idiot.

Which is why I am staying out of this conversation ... except for that ... and that ... oh, never mind.

Re:First (2, Informative)

Lunix Nutcase (1092239) | more than 4 years ago | (#31454308)

Perfectly perfect installs of antivirus? As in, perfect enough to be NSA backdoors? Other articles mentioned that the exploits were there because of NSA mandates for data access that we can safely assume to include internet-facing Windows computers. If that's true, then the NSA are a helluva lot more stupid(or lazy) than they claim to be.

Yeah and then Schneiner stated in a retraction that that wasn't the case.

Re:First (0)

Anonymous Coward | more than 4 years ago | (#31454594)

You'd retract your words if feds threatened you with jail-time.

Re:First (1)

Lunix Nutcase (1092239) | more than 4 years ago | (#31454696)

Where did the feds threaten him with jail time?

Re:First (2, Funny)

Qzukk (229616) | more than 4 years ago | (#31454926)

Obviously it must be one of those national security letters that let them do anything and nobody can talk about having gotten one.

No. The core problem goes deeper. (3, Insightful)

khasim (1285) | more than 4 years ago | (#31454356)

The "security industry" is NOT interested in putting itself out of business by selling WORKING products.

That's why the "perfectly installed antivirus" gets daily updates and STILL CANNOT TELL A GOOD FILE FROM A BAD FILE.

Here's a radical new concept. How about an antivirus program that BLOCKS file writes to the operating system UNLESS that file can be confirmed to be "good"?

It's far easier to identify the files that SHOULD be allowed than it is to identify a possible threat.

Who has authority to confirm something as good? (4, Insightful)

tepples (727027) | more than 4 years ago | (#31454436)

How about an antivirus program that BLOCKS file writes to the operating system UNLESS that file can be confirmed to be "good"?

Who has the authority to confirm, say, your shopping list as good? Or, if you're considering only files marked executable, a shell script that your co-worker wrote?

Is your shopping list executable? (3, Insightful)

khasim (1285) | more than 4 years ago | (#31454592)

No? Then it isn't an issue.

Now, if you're trying to store your shopping list on c:\windows\system32 ... then the anti-virus app should block you.

As for who has the authority ... that would be the anti-virus vendor. The same people who you've given the authority to tell you what is a virus today.

A side benefit of this would be that the anti-virus app could also tell you that you have vulnerable, unpatched apps on your system.

Re:Is your shopping list executable? (2, Interesting)

Lunix Nutcase (1092239) | more than 4 years ago | (#31454622)

As for who has the authority ... that would be the anti-virus vendor. The same people who you've given the authority to tell you what is a virus today.

So the same people that this article is pointing out that are failing to actually protect people? Oh and let's not even get to how many false positives and negatives that are well-known to happen with all the security suites.

Yeah, read the whole thread. (2, Insightful)

khasim (1285) | more than 4 years ago | (#31454706)

So the same people that this article is pointing out that are failing to actually protect people?

Yeah, read the whole thread. You might notice that that was my original point.

The "security industry" has no real interest in solving (or reducing) the problem because they're making so much money off of it.

If they did want to fix the issue, the simple example I gave would go a long way towards doing just that.

But they don't do that. See the sentence above the sentence right above this one.

Re:Yeah, read the whole thread. (2, Insightful)

Lunix Nutcase (1092239) | more than 4 years ago | (#31454744)

Yeah, read the whole thread. You might notice that that was my original point.

And yet you think they are magically going to be able to implement an automatic white listing mechanism?

The "security industry" has no real interest in solving (or reducing) the problem because they're making so much money off of it.

And because many of them are just flat out incompetent.

If they did want to fix the issue, the simple example I gave would go a long way towards doing just that.

But they don't do that. See the sentence above the sentence right above this one.

And would be just as fraught false positives and negatives as their current software.

Re:Who has authority to confirm something as good? (1)

jimbobborg (128330) | more than 4 years ago | (#31454732)

How about an antivirus program that BLOCKS file writes to the operating system UNLESS that file can be confirmed to be "good"?

Who has the authority to confirm, say, your shopping list as good? Or, if you're considering only files marked executable, a shell script that your co-worker wrote?

Reading comprehension FAIL. What idiot types their shopping list and saves it in the Windows system file directory?

Re:No. The core problem goes deeper. (1)

Lunix Nutcase (1092239) | more than 4 years ago | (#31454546)

Here's a radical new concept. How about an antivirus program that BLOCKS file writes to the operating system UNLESS that file can be confirmed to be "good"?

And how do you think this is going to happen? If it's manual then most users are going to just click through saying it's good all the time or when they get fed up by this behavior they'll just uninstall it. If automatic, how exactly do you expect something to perfectly determine whether something is good or bad? Because if it can't do it with 100% accuracy, then you're going to get lots of complaints about bad files being thought of as good or good files being shitcanned as being bad.

Re:No. The core problem goes deeper. (2, Informative)

WrongSizeGlass (838941) | more than 4 years ago | (#31454768)

And how do you think this is going to happen? If it's manual then most users are going to just click through saying it's good all the time or when they get fed up by this behavior they'll just uninstall it.

If computer security has taught us anything, and it hasn't, it's that you can't protect users from themselves. Not only are they their own worst enemies, but they are never the person they blame when this happens. All PC's should come standard with a mirror.

I'm not letting MS off the hook - they need to get their sh!t together, but it's impossible to retrofit all the XP (and older ... and newer) desktops out there with a magic bullet. At some point the users need to share the blame and responsibility for their actions (or lack there of) when it comes to their computer's security.

Because if it can't do it with 100% accuracy, then you're going to get lots of complaints about bad files being thought of as good or good files being shitcanned as being bad.

This is very true. Though in the big scheme of things I would imagine a user would rather be irritated by an errant "No write for you!" as opposed to the havoc an infection wreaks.

Re:No. The core problem goes deeper. (1)

spinkham (56603) | more than 4 years ago | (#31454726)

These exist, bit9 has one of the better ones out there. Also, the Unix package management system functions as a defacto whitelist approach. The problem is whitelisting limits what you can install. Adding programs to the whitelist is time intensive, and the major benefit of Windows is the fact that there's so much stuff out there you can run on it..

Whitelisting is a good approach for certain locked down, single purpose terminals, but for general computing you might just as well deploy Ubuntu to your users instead...

Re:No. The core problem goes deeper. (1)

Lunix Nutcase (1092239) | more than 4 years ago | (#31454764)

Whitelisting is a good approach for certain locked down, single purpose terminals, but for general computing you might just as well deploy Ubuntu to your users instead...

That is until they download Ubuntu malware [digitizor.com] .

Re:First (2, Interesting)

Anonymous Coward | more than 4 years ago | (#31454612)

How can a perfectly installed AV detect a new virus or malware that does not have a previously identified signature? Or is being implemented in an entirely new way which is not currently in the AV or security programs list of possible intrusion scenarios? Av and security programs are nothing more than window dressing allowing IT execs to say look we are doing all we can to prevent these problems what else can I do? Their bosses see the programs running and believe they are safe.

An AV program will never prevent new viruses, once a new virus is in the wild it will infect a certain amount of users, once it is recognized to be a new virus the AV companies will create a definition for it. There are always a few unlucky ones who will be infected, this is a given. But not something any AV company will admit too. At this point it is the responsibility of the IT staff to do the only guaranteed thing which will remove the virus, format the drive and reinstall the OS. Too many people feel they can remove the infection, and while this may be true in a very limited amount of cases, there is always the possibility that the virus your AV has recognized is a variant which is still unknown.

Let's face it, the only reason people realize they have a virus is because their computer starts acting "funny". A well written virus may never produce any indications of an issue and may go on working happily until either the usr renews their AV program or retires their computer.

I'll give you a clue... (5, Insightful)

advocate_one (662832) | more than 4 years ago | (#31454260)

Traditional security products are simply not much help, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. 'All of the victims we've worked with had perfectly installed antivirus,' he said. 'They all had intrusion detection systems and several had Web proxies scan content.'"

the "victims" were all running MS Windows...

Re:I'll give you a clue... (1)

Z00L00K (682162) | more than 4 years ago | (#31454324)

I must go back to use OS8MT or something even more obnoxious then.

Re:I'll give you a clue... (1, Insightful)

localman57 (1340533) | more than 4 years ago | (#31454374)

Funny, when a statement like that concerning any other subject appears on the front page, it gets a "CorelationIsNotCausation" tag. But since it's an easy shot at MS, it gets modded up here...

Re:I'll give you a clue... (4, Insightful)

Azureflare (645778) | more than 4 years ago | (#31454480)

How does "correlation is not causation" apply to this situation?

It's Microsoft's product which is the target of these attacks. IMO the grandparent should be tagged captainobvious, rather than being tagged correlationisnotcausation.

When you hear about a massive distributed attack against Mac OS X and linux which goes undetected for a while, let us know.

The scary thing is... It could be happening right now! Quick! Unplug your ethernet cable and turn off your wireless radiooo!! They're gonna get youuuuu!!! /tinfoilhat

Re:I'll give you a clue... (1)

T Murphy (1054674) | more than 4 years ago | (#31454518)

Good point. Just because all the idiots use Windows doesn't mean Windows causes one to be an idiot. </joke>

Re:I'll give you a clue... (2, Insightful)

Redlazer (786403) | more than 4 years ago | (#31454840)

There is no shortage of idiots on Mac OS X.

There is a shortage of malware available to exploit those idiots, however.

Correlation can imply causation. (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31454886)

Too many people here don't understand basic logic. That's surprising, given the demographics here. I would've thought that programmers would have a better-than-average grasp of that topic.

Correlation can very well imply causation. Let me prove it to you:

Let o be a True correlation.
Let a be a True causation.

Problem: Prove that o -> a. That is, prove that correlation implies causation.

Proof: See an implication truth table [wikipedia.org] . Like in this case, we have a True correlation and a True causation. Thus we have a True implication. Hence, we have proven that correlation can imply causation.

Q.E.D.

Re:I'll give you a clue... (1)

Eugene O'Neil (140081) | more than 4 years ago | (#31454956)

Yes, you can't just assume from the correlation that people must get more viruses because they install windows. You have to also consider the alternative explanation... that people install more windows because they get viruses!

Re:I'll give you a clue... (1)

Often_Censored (182111) | more than 4 years ago | (#31454380)

There are some problems that you have to pay money to have.

Windows tax deduction (1)

tepples (727027) | more than 4 years ago | (#31454538)

There are some problems that you have to pay money to have.

True, but Windows OS isn't one of them. It costs just as much to buy a PC for a home or small office without preinstalled Windows OS as it does to buy one with preinstalled Windows OS. The common explanation for this is that major shareware publishers subsidize the cost of a Windows OS license by paying PC makers to include unregistered versions of their products in the default install.

Re:Windows tax deduction (3, Insightful)

FranTaylor (164577) | more than 4 years ago | (#31454780)

There are some problems that you have to pay money to have.

True, but Windows OS isn't one of them. It costs just as much to buy a PC for a home or small office without preinstalled Windows OS as it does to buy one with preinstalled Windows OS. The common explanation for this is that major shareware publishers subsidize the cost of a Windows OS license by paying PC makers to include unregistered versions of their products in the default install.

You are asserting that the costs of a computer end at purchase, they do not. With Windows, the purchase price is only the beginning of your costs. Anti-virus, maintenance, upgrading, rebooting, these costs dwarf the purchase price.

Re:I'll give you a clue... (0)

Anonymous Coward | more than 4 years ago | (#31454620)

Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.

Hell, Matt Murphy could do that on his own, hardly needed the rest of the band.

Re:I'll give you a clue... just use virtuals! (0)

Anonymous Coward | more than 4 years ago | (#31454688)

Just run internet-faced programs like browser and email client in separate virtual instances, preferably with more secure OS underneath. Reboot those instances hourly (or whatever) and apply latest patches at reboot. Sharing data between apps could be a little bit pain, but copy&paste works and shared folders with host can be implemented in secure way.

Re:I'll give you a clue... (3, Insightful)

sabs (255763) | more than 4 years ago | (#31454698)

Are you trying to say that Google uses MS Windows for it's websites and database servers?

Re:I'll give you a clue... (1)

moderatorrater (1095745) | more than 4 years ago | (#31454786)

While I think them running Windows helped, can you honestly tell me that the attackers couldn't have gotten in through a hole in Linux, Firefox, Flash, or any of the other openings that every usable computer has? With highly targeted attacks like this there's almost nothing that can fully secure the computer, and those things which could fully secure Linux would fully secure Windows as well.

For instance, sandboxing the entire OS. Make them use a separate computer when interacting with the internet as a whole and when interacting with the internal network and not allowing direct connections between the two. But what company's going to be willing to put their employees through that level of hassle, much less the expense of the hardware?

In one word: (1)

Xamusk (702162) | more than 4 years ago | (#31454266)

FAIL!

Security theater (0)

Anonymous Coward | more than 4 years ago | (#31454286)

A lot of security theater is out there, but one thing is for certain: you can dramatically lower your risk just by thinking for a minute before you click on some link/email/app/etc.

Re:Security theater (1)

localman57 (1340533) | more than 4 years ago | (#31454328)

The problem with that is that a lot of the links promise to take you to a picture of a kitten doing something cute. Unfortunately, there is no known method for keeping certain types of people from clicking on kitten-related links. Sad, but true.

Re:Security theater (1)

spun (1352) | more than 4 years ago | (#31454376)

Unfortunately, there is no known method for keeping certain types of people from clicking on kitten-related links.

You could chop off their hands.

Re:Security theater (5, Funny)

localman57 (1340533) | more than 4 years ago | (#31454418)

Kittens don't have hands. They have paws. But yes, I agree with you. Maybe seeing a few pictures like that would get people to stop clicking the links.

Re:Security theater (1)

johnshirley (709044) | more than 4 years ago | (#31454716)

Get enough people redirected to goatse.fr when they click that link promising cute kittens and they might get shocked enough to simply stop clicking on cute kitten links. Then again, there will always be people who keep clicking through hoping that that adorable little feline will ultimately appear if they click it enough times.

Yeah, we can't fix stupid; we can only try to protect them from themselves.

Re:Security theater (1)

pz (113803) | more than 4 years ago | (#31454402)

A lot of security theater is out there, but one thing is for certain: you can dramatically lower your risk just by thinking for a minute before you click on some link/email/app/etc.

Yes, true, but the article is about corporate IT security, where it must be assumed that employees will not be circumspect as you suggest, and the network protected nevertheless.

Re:Security theater (4, Informative)

pastafazou (648001) | more than 4 years ago | (#31454616)

you don't need to click any more. Most of the malware I'm cleaning up these days is delivered via Flash, and distributed by advertisement servers that have been hacked. All you have to do is visit a site that gets paid to serve random ads, and you can get infected.

Surely we've seen this before... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31454306)

Oh... like how the police can't prevent crime?

The antivirus companies are the exploit writers (1)

Orga (1720130) | more than 4 years ago | (#31454342)

All of the victims we've worked with had perfectly installed antivirus We all know they're just drumming up business for themselves.

Well duh (1, Informative)

Anonymous Coward | more than 4 years ago | (#31454354)

Antivirus is a joke, and always has been.

You don't fix a software problem with more software. You fix the software.

If you can't fix the software, you do your best to avoid situations where it will be attacked. In other words, don't punch the monkey.

I don't run AV, I do run XP, I don't punch the monkey, and I don't get viruses.

Training users at some megacorp to not PTM is a lost cause. Fix your s***, and forget AV.

Re:Well duh (1)

Jeremy Erwin (2054) | more than 4 years ago | (#31454406)

You don't fix a software problem with more software. You fix the software.

I don't run AV, I do run XP, I don't punch the monkey, and I don't get viruses.

How'd you fix XP?

Stating the obvious (2, Insightful)

al0ha (1262684) | more than 4 years ago | (#31454358)

The security industry will always be unable to protect everyone 100% of the time. It is impossible to protect the clueless from anything.

AntiVirus is imperfect as it relies on signatures and known processes, and will always be imperfect. Same with IDS and the lot of it.

In my opinion, as long as the security industry, and end-users as a whole, continue with the thought that end-user basic security ignorance is OK, things will never get better. The sooner all end users are clued-in instead of clueless, the sooner we may have a ray of hope.

Re:Stating the obvious (1)

MightyMartian (840721) | more than 4 years ago | (#31454390)

Indeed, it's like saying "Despite everyone wearing seat belts, people still die in head-on collisions. Clearly the auto industry just isn't doing enough..."

(There, even worked in a good car analogy for y'all!)

Re:Stating the obvious (1)

nine-times (778537) | more than 4 years ago | (#31454584)

Maybe it's more like saying, "Despite everyone wearing seat belts, people still die in head-on collisions. Clearly we should be considering more public transportation."?

Re:Stating the obvious (1)

maxume (22995) | more than 4 years ago | (#31454644)

...how 'bout they install airbags

Re:Stating the obvious (0)

Anonymous Coward | more than 4 years ago | (#31454464)

Antivirus is imperfect because it makes people think that they're immune from anything/everything that can go wrong. You tell them that an antivirus program is good and most users will go out of their way to prove you wrong.

Re:Stating the obvious (1)

Albanach (527650) | more than 4 years ago | (#31454466)

The security industry will always be unable to protect everyone 100% of the time. It is impossible to protect the clueless from anything. ...

The sooner all end users are clued-in instead of clueless, the sooner we may have a ray of hope.

Did you miss the bit in the summary where they mentioned Google? Now it is possible that Google had no anti-virus, no IDS and doesn't monitor in and outbound web traffic for potential threats, but I think it unlikely.

I find it hard to imagine that a firm which can to all intents and purposes hire the very brightest and smartest has a whole lot of clueless users. I doubt the Google end-users were doing anything stupid anyway.

For others, especially those with less resources, life is harder still. A zero day exploit doesn't need a user to be stupid, only to open a web page, through trickery, coercion or plain old bad luck.

Durrr (0)

Anonymous Coward | more than 4 years ago | (#31454670)

I doubt the Google end-users were doing anything stupid anyway.

They were running M$ Windozes... that's very stupid.

Re:Stating the obvious (0)

Anonymous Coward | more than 4 years ago | (#31454472)

The sooner all end users are clued-in instead of clueless, the sooner we may have a ray of hope.

What could the end-user have done in this situation that would have caused a different outcome?

Re:Stating the obvious (0)

Anonymous Coward | more than 4 years ago | (#31454478)

Besides, no anti-virus company wants to make a product that blocks all known and unknown viruses anyway. What would they sell the customer next year? Face it: security software is a racket. It will never be perfect even if it could, because (much like with human diseases) there's no money in a cure. There's a lot of money in treatment though!

Re:Stating the obvious (2, Insightful)

twidarkling (1537077) | more than 4 years ago | (#31454632)

So how do you explain the free ones not being perfect, then?

So why not change it? (5, Insightful)

khasim (1285) | more than 4 years ago | (#31454544)

The security industry will always be unable to protect everyone 100% of the time.

The problem is that they haven't even hit the 50% mark. They cannot even, reliably, detect threats that are over a year old.

AntiVirus is imperfect as it relies on signatures and known processes, and will always be imperfect.

Exactly. Which is why that needs to change. Instead of trying to chase the latest variant of a threat, why not save time and effort and identify the LEGITIMATE files? Then, if something is trying to write a file to the OS portion of your drive, and that file is not recognized, it should block it (and MAYBE allow the user to override it after a few hoops and maybe online comparisons with the latest threat databases).

In my opinion, as long as the security industry, and end-users as a whole, continue with the thought that end-user basic security ignorance is OK, things will never get better.

I think it is different. The "security industry" depends upon the ignorance of users and the continuation of those users being infected.

It is not in the "security industry"'s best interest to commit to real improvements in security.

Re:So why not change it? (1)

ircmaxell (1117387) | more than 4 years ago | (#31454806)

So you want to go to a permissions based security model? Something along the lines of what Android does? So when you install the app, it'll tell you every permission that it has, and if you don't agree with them, it doesn't install (Or possibly gives you the option of running in a reduced permissions mode, if the developer allowed it). It's a lot of overhead, but most definitely could have some interesting results in combating these kind of threats. Then again, something like this would need to be introduced at the Kernel level (Any higher, and permissions could be subverted with a system call)... Actually the more I think about it, it sounds like a good! You could implement "persistent" permissions and one-time-only permissions. So when you install the software, you can declare the permissions that it has permanently (And hence avoid the UAC dialog box every time you use that software), and select some permissions to be granted on a one-time basis (that it must ask each time)... Once something got into the kernel, it'd have free reign over everything, but how's that different from now?

Re:So why not change it? (1)

localman57 (1340533) | more than 4 years ago | (#31454808)

Then, if something is trying to write a file to the OS portion of your drive, and that file is not recognized, it should block it (and MAYBE allow the user to override it after a few hoops and maybe online comparisons with the latest threat databases).

Microsoft more or less tried something like this with UAC on Vista, didn't they? Granted, it doesn't matter that much unitl you fix all the other security holes, but the point is that average joe users don't want it, and they make up the majority of the (non-open source) users. It seems to me that asking "Are you sure" before installing software is a good thing, but the marketplace apparently disagreed.

And the fact is, you can say "They'll learn their lesson after they get infected," but the truth is very few people will fess up to the fact that they are partially responsible for their computer getting infected.

Re:So why not change it? (1)

vadim_t (324782) | more than 4 years ago | (#31454854)

Exactly. Which is why that needs to change. Instead of trying to chase the latest variant of a threat, why not save time and effort and identify the LEGITIMATE files? Then, if something is trying to write a file to the OS portion of your drive, and that file is not recognized, it should block it (and MAYBE allow the user to override it after a few hoops and maybe online comparisons with the latest threat databases).

And just how is that going to work?

The main threat are executables. You could require signatures. However, not everything will be signed. Heck, many drivers still aren't. So inevitably the user will run into something unsigned they want to run. At that point they'll ignore/disable the signature warning, and happily install any trojan that comes along.

Or you could reverse the antivirus idea, and build a giant database of checksums. It'll need a checksum for every obscure software out there, in every possible version. WoW released an update today? You can't play until the DB gets updated. At that the user will ignore/disable the signature warning, and happily install any trojan that comes along. Add to that that no company will analyze every byte of every binary, and them listing a trojaned version as valid is quite possible.

Even if that somehow worked perfectly, you still have to deal with exploits, like images crafted to expoloit the decoder. You can't possibly whitelist every legitimate image.

Any signature based system only works well within tight constraints that are impractical on desktop computers. Time would be much better spent on creating sandboxes, tightening permissions and fixing ways to exploit a program, so that if something gets in, it can't do anything anyway. But there's little interest for antivirus vendors in that, as if we got there there wouldn't be improved versions or database updates to sell.

Re:Stating the obvious (1)

nine-times (778537) | more than 4 years ago | (#31454578)

The security industry will always be unable to protect everyone 100% of the time. It is impossible to protect the clueless from anything.

There's definitely some truth to that. However, I think the security industry is still open to criticism specifically because they're telling the clueless, "Without us you're screwed, but if you buy our product, then you don't need to worry. We have you covered."

The problem is, if you're careful and know what you're doing, you don't really need all of these products on your computer. If you're careless and don't know what you're doing, then this products don't quite solve the problem. In most cases, it's a nugget of real product being sold in a 10 gallon drum of snake oil.

Re:Stating the obvious (1)

mcgrew (92797) | more than 4 years ago | (#31454694)

AntiVirus is imperfect as it relies on signatures and known processes

I wouldn't say "imperfect", I'd say "flawed". The industry needs to rethink its methodology and come up with something that actually works. User education would be a start, but even that's not enough.

Re:Stating the obvious (2, Insightful)

pastafazou (648001) | more than 4 years ago | (#31454712)

In my opinion, as long as the security industry, and end-users as a whole, continue with the thought that end-user basic security ignorance is OK, things will never get better.
Just wait until YOU have kids. You'll go off to work, secure in the fact that you're an enlightened end-user as far as security goes, and when you get home from work, you'll see how much damage kids can cause in the 2 hours between the end of their school day and the end of your work day.
And, when that happens, just let me say in advance: HA HAH! /nelson voice

Re:Stating the obvious (1)

owlstead (636356) | more than 4 years ago | (#31454828)

People modding this insightful should get a clue-stick. The best defense is relying on systems that have more security build in, not on the end user. The end user will always be clueless and rightfully so. The end user has stopped being computer fanatic for almost 2 decades. And there is a lot of things that can be improved. Buffer overruns should be a thing of the past, applications should not start out with permissions that lie outside their intended use (MS implemented that for IE, which was a seriously good move).

Of course, anyone should still have control over their computer and so there will be users that continue to be a thread. We should of course point out to the users that what they are doing is stupid. But we should also build systems that protect the users as much as possible, and (if that does not help) systems that protect against user stupidity.

Virus (2, Funny)

mcgrew (92797) | more than 4 years ago | (#31454368)

If the "M" virus hits the RSA conference, it it the MSRA virus?

failed? (3, Interesting)

Lord Ender (156273) | more than 4 years ago | (#31454378)

the security industry has failed to protect paying customers from some of today's most pernicious threats

This is a terribly ignorant statement. The security has actually succeeded in protecting paying customers from all but the most pernicious threats. IT security is about reducing risk, and that's what it does--successfully.

Re:failed? (1)

Stumbles (602007) | more than 4 years ago | (#31454458)

It is an ignorant statement but not for the reason you cite and the sentence should read; "Microsoft has failed to protect paying customers from some of today's...". The security industry can do little when given such a crap foundation to work from.

Re:failed? (1)

Lord Ender (156273) | more than 4 years ago | (#31454792)

Well, given enough funding, IT Security could keep even Windows boxes to extremely low risk levels. Most companies, however, simply decide that $x dollars is enough to spend on Security, and so the Security team tries to get the most bang for that buck. You can block 99% of malware with a reasonable amount of security expense. To get to 99.9%, you will need to double or triple the cost. 100% is not possible, and most companies accept the risk that small amounts of malware get through.

you can lead a horse to water.... (1)

Em Emalb (452530) | more than 4 years ago | (#31454394)

but you can't stop him from clicking on a link to beat the crap out of a monkey.

In summary; (4, Insightful)

Stumbles (602007) | more than 4 years ago | (#31454396)

The Microsoft operating system has been, always will be insecure. No amount of anti this, anti that or how update date your windows box is; it is not safe to use for any kind of sensitive data.

Re:In summary; (0)

Anonymous Coward | more than 4 years ago | (#31454482)

Any OS is insecure when the users want to see dancing bunnies.

The only difference is the damage to the PC is possibly easier clean up with alterante OSes.

I know how this is going to end (0)

Anonymous Coward | more than 4 years ago | (#31454404)

We'll soon see sanctions against the "evil" countries.

Be specific when you say Security Industry (0)

Anonymous Coward | more than 4 years ago | (#31454428)

Don't blame the security industry; blame the application developers. Adobe has a new input validation vulnerability every day; browsers fail to properly sandbox these crappy plugins; the OS fails to properly sandbox the browser. Virus scanners address the symtoms of the problem but ignore the cause which is that secure coding practices simply aren't followed.

Industry slow to respond to challenges (2, Insightful)

jollyreaper (513215) | more than 4 years ago | (#31454432)

Film at 11.

One thing that shouldn't surprise me anymore but keeps surprising me is that it seems like the more money you pay for software, the more half-assed it is. You get an off-the-shelf product like Quickbooks, it's impressive. You look at stuff that's industry-specific, specialized software that doesn't have a lot of competition, it costs thousands and feels primitive in comparison. It must be the lack of competition means there's no real reason to improve the product beyond what it already does.

I'm sure there are some exceptions to my experience, naturally. But these niche applications generally seem to be very expensive and primitive.

Re:Industry slow to respond to challenges (1)

Whillowhim (1408725) | more than 4 years ago | (#31454602)

This, also, shouldn't be news.

Niche applications have a much lower install base, and must make more money on each sale in order to pay for the same amount of development. Since niche markets often have orders of magnitude less users, you have to both jack up the cost of the item and cut back on development.

Its the difference between having 50,000 users and 100 developers, and 500 users and 10 developers. Assuming the project is of comparable complexity, you're going to pay 10x as much and get something 10x less polished.

Re:Industry slow to respond to challenges (1)

Mashdar (876825) | more than 4 years ago | (#31454636)

The small business I work for pays six figures annually for three keys for software with no competitors in AC interference modeling. It seems shocking to me, because for that, we could hire a great software guy, or two fresh college coders, and write our own program. The software we use is absolutely awful. It is riddled with bugs (which I frequently have to call them about to get resolved), a terrible UI (which is extremely conducive to user error), and poor I/O options. Despite the fact that I am an electrical engineering grad having only taken two non-assembly programming courses, I have totally changed where all of our time goes by not using their stupid interface for UI (and instead writing a GUI with Python that lets you use KML files to specify paths and to do various tedious model modifications). Worst software ever. Most expensive I've ever heard of. /rant

Re:Industry slow to respond to challenges (2, Interesting)

Jah-Wren Ryel (80510) | more than 4 years ago | (#31454674)

I'm sure there are some exceptions to my experience, naturally. But these niche applications generally seem to be very expensive and primitive.

Back before beowulf clusters were common and most all supercomputers were priced in the 9 digits there was a phrase well known in the community - "Supercomputing is a synonym for unreliable computing."

In other words, if the market is small you suffer from all kinds of problems because there aren't enough users to generate enough bug reports and despite the high per unit pricing, volume is so low that there isn't enough money to pay for all the Q&A beyond the core functionality.

Re:Industry slow to respond to challenges (2, Insightful)

ehud42 (314607) | more than 4 years ago | (#31454928)

You get a consumer car like a Honda Insight, it's impressive. You look at [race cars] that's industry-specific, specialized hardware and software that doesn't have a lot of competition, it costs thousands and feels primitive in comparison. It must be the lack of competition means there's no real reason to improve the product beyond what it already does. Fixed that for you. When Quickbooks can handle the multi-million transaction ledger of an publicly traded enterprise come back and try again.

Not that hard to believe... (4, Informative)

Jazz-Masta (240659) | more than 4 years ago | (#31454434)

The dark side of computer "security" pays far better than the good side. I was contracted to setup a number of servers for a company, and as it turned out, they were part of this "dark side." I told them I had an ethical conflict, and decided to remove myself from the situation about 2 hours into it.

The problem is, other than the coders and the boss, many people do not know they are working for these companies. This particular company had about 15 people. 3 were in the know, the other 12 were support for shipping, gathering information, making contacts, and advertising, etc. When dealing with spyware/malware, there is a lot of butt covering, and evasion.

The programmers in particular were amazing coders, some of the best that graduated at the same university I went to. This is how I got contacted to help. Only after we started talking did I realize what they were all about. The pay was almost double what they would have made at a legitimate company.

Re:Not that hard to believe... (0)

Anonymous Coward | more than 4 years ago | (#31454642)

Conventional programmers should get more of the respect that they deserve!

Multiple Anti-Virus Programs (1)

DIplomatic (1759914) | more than 4 years ago | (#31454450)

Another problem is that most companies only pay for 1 Anti-Virus Program but that leaves their computers vulnerable to anything that particular piece of software doesn't catch.

I work corporate IT and I periodically sit down at each machine and run 3 or 4 virus scans in addition to the one installed on every workstation, but this is a lot of effort. Infections slip by our real-time scan all the time.

No perfect security. (4, Insightful)

spinkham (56603) | more than 4 years ago | (#31454486)

There is no perfect security, offline or online.
I like to say there are 3 main types of attacks:

  • Bots, worms, and other randomly spewed attacks.
  • Industry targeted attacks. An attacker wants to compromise a bank, any bank, and will go for the easiest target
  • Comany or resource targeted attack. An attacker wants access to you specifically.

We have mechanisms that are pretty good at class 1. We can shore up our defenses enough to not be the low hanging fruit to get some protection against level 2.

Level 3 is only starting to enter the public eye. There is no defense that will withstand a well funded targeted attack. The best you can do is make it too difficult for most attackers, and monitor and clean up after the really good ones.

This is true for airline security, concert security, bank security, web site security, and network security. There is no impenetrable defense for any of these. You minimize the risk as much as you can, then build your systems so they can be effectively monitored and rebuilt/restored in case of attack.

Re:No perfect security. (1)

dkleinsc (563838) | more than 4 years ago | (#31454690)

While there's no such thing as perfect security, there is definitely security that is about 20 times harder to penetrate than your typical bank website. Either that, or the various government spy agencies such as the NSA are in real trouble. Do those organizations get beaten at their own game? Absolutely. But it's a rare occurrence at best.

What I think you meant to say was "There's no security good enough to deter most criminal organizations available at a price that companies are willing to pay."

Hell, why aren't the banks cracked? (2, Insightful)

khasim (1285) | more than 4 years ago | (#31454760)

If security is that difficult, then why haven't all the banks been emptied by now?

Targeted attacks are a different animal (4, Insightful)

v1 (525388) | more than 4 years ago | (#31454514)

That's what makes "spear-phishing" so ridiculously dangerous - if the attacker is spending his entire day on you specifically, you're going to need a little more than an off-the-shelf unmonitored solution. And if you're a "high visibility target" then you are going to need even more, defense in depth and a dedicated team for your security. It's not reasonable to expect "but I installed Norton!" to come from a CEO of a big company for example. Bigger assets require better, customized defenses.

Bigger targets attract more than script kiddies and people that are buying hacking kits. They attract entire groups and organizations of highly skilled and specialized hackers that know how to analyze your defenses, have experience getting around all but the industrial grade security tools, and can customize their work and cover their tracks.

It's no different than complaining that neighborhood security is a mess because your padlock didn't keep your bike from getting stolen. If you have a really nice bike, and a smart thief really wants it, you'd better have something better than a crappy $7 masterlock on it. You can't blame the lock if the bike gets stolen. You were using the wrong tool for the job and the outcome should come as no surprise. You were expecting way too much (security) from way too little.

Re:Targeted attacks are a different animal (1)

2obvious4u (871996) | more than 4 years ago | (#31454692)

So do people constantly attack Bill Gates accounts? I mean he is like the most obvious target in the world. And besides its not like he'd miss a million dollars if you managed to get to it. It would be like a trophy. Can you even monitor 40+ billion dollars? Can you really monitor a billion anything?

Re:Targeted attacks are a different animal (1)

John Hasler (414242) | more than 4 years ago | (#31454944)

> So do people constantly attack Bill Gates accounts?

They probably try, but there is also the matter of attack surface. Gates has no reason to have much of any. There is also the fact that, while far from my favorite person, he is not an idiot. The same cannot be said for the C-level execs of many large businesses with very large attack surfaces.

You Can't Redesign the User (1)

BJ_Covert_Action (1499847) | more than 4 years ago | (#31454530)

The most wide spread vulnerability to internet activity today is not something that can be fixed with an anti virus program, or any kind of program for that matter. When it comes down to it, the primary vulnerability is the meat bag sitting at the keyboard. People are stupid. They don't mean to be. They don't try to be. Still, they are (myself included on plenty of occasions). As a result, all a successful hack has to rely on is convincing a large number of stupid people to do something stupid. That's really not that hard.

We see this in other fields. People do stupid shit all over the place and we try to fix it by teaching people that they can't keep doing dumb stuff. For instance, if you give a pissed off teenager the keys to a car, he/she will drive it recklessly fast. So we have cops out there to teach them different. We hope parents try to teach them different. If all else fails, we have to take forceful action to protect them from themselves (court, gavel, community service and/or jail time). On a large scale, if some group of people pick a fight with another group of people over something stupid (like some kind of zealous ideal or discrimination), sometimes we have to intervene with force to tell them to knock it the crap off (war). It seems terrible. It is a pain in the ass. But it stems from the fact that, often, competent and intelligent folk often need to protect the stupid folk from themselves (or at least we humans convince ourselves of that).

So, those blurry analogies drawn, it all boils down to a simple fact. People are stupid. And as Ron White put it, "You can't fix stupid."

At best, those who are less stupid than others need to work (and sometimes fight) to protect the stupid people from themselves. In other words, the cyber security model needs to evolve from a passive defense, to an aggressive offense taken against the stupid attackers who continually exploit stupid users. In other words, out-compete the sheisters.

News Report: The Sky Is Blue (0, Redundant)

bobdehnhardt (18286) | more than 4 years ago | (#31454550)

No security is perfect, never has been, never will be.

And security isn't static. The attacks keep changing; defenses need to change to meet the attack. That means the defenses are reactive - they lag behind the attacks. That means the attacks will always work, at least for a little while, longer against companies and technologies that don't keep up.

Gee, I should become an industry analyst. I can state the obvious with the best of 'em.

PA security officer fired for talking at conferenc (3, Informative)

smooth wombat (796938) | more than 4 years ago | (#31454552)

e (damn /. and its short subject field).

Our state CISO [pennlive.com] was fired when he got back from the conference because he spoke about a hacking incident to the state's DOT site which allows one to schedule driver's exams. Apparently, it was initially presumed the attack came from Russia but was later found to have come from Philadelphia where a driving school had exploited a vulnerability in the web site to schedule more driving tests than there were allotted slots.

By exploiting this vulnerability, the driving school was able to close all available slots EXCEPT for the school so everyone else had to wait up to 6 weeks to schedule a test.

He was a scheduled presenter with over 24 years in IT in both the public and private sector. He was recognized, according to the RSA schedule, as "one of the most high-profile experts in the field of securing the data of American citizens today."

As you read the comments after the article, it's clear that some folks with knowledge of the subject insist he went out of bounds on the subject while others consider what he did to be a normal part of the IT security process.

I'm only posting this as it does relate to the overall RSA conference. Note that the web site indicated will probably prevent reading the article after a certain time has passed so read it now. In addition, here are two other sites which talk about the firing:

Site one [scmagazineus.com]

Site two [threatpost.com]

Further, here is an article [techtarget.com] which talks to the firee after he became the state's first CISO and what he had to contend with.

There's a fundamental flaw in these products (1)

Whuffo (1043790) | more than 4 years ago | (#31454566)

Fast moving exploits blow right past these security products. The whole industry is based on "identify new threats, develop a detection routine, include it in the next update". So from the time the "assault" starts there's the time it takes for someone to find it and report it to the security product company. Then there's the time it takes for that company to analyse the threat and code a detection - and then there's another delay while customers wait for the next update cycle to come along.

That's easily ten or more days during which the exploit gets spread far and wide. The bad guys know this and carefully craft their exploits to spread quickly so they can be widely installed before the firewalls and virus scanners start blocking them - and they make their programs hard to detect and harder to remove. Even after the security vendors have the threat "neutralized", the exploit continues to spread behind the firewalls and to the companies with lazy admins who haven't patched recently.

What really needs to be done if we're ever going to make a significant dent in the flood of malware and viruses is to put an end to the various forms of remote execution that some ill-advised software companies have included in their products. Any software that automatically installs or opens files from the web provides an entry for attackers. Things like Flash, ActiveX, etc. - an operating system that permits "drive-by downloads" just isn't suitable for a connected world. Fix those glaring flaws and the number of problems would go way down.

Of course this isn't likely to happen any time soon. Advertisers love those blinky, colorful, dancing, and music playing advertisements. They insist on more and more of these and that's led to more and more viruses being installed by innocent looking ads on some reputable site's webpage. And it's all due to some idiot thinking it was a great idea to have your computer download and open an executable file automatically.

So now we're using ad-blocking software to protect our systems from this kind of danger - and the advertisers are starting to howl. They don't see that they're providing almost universal access to those black hat programmers - or they do see this and don't care because they're making money. We can't have things both ways - if you allow remote execution then you're going to have security breaches. If you don't allow it, the web would be a quieter and less "content rich" place.

"It Just Works" is the problem (0)

Anonymous Coward | more than 4 years ago | (#31454640)

The industry needs a "do-over". It's unlikely to ever happen but that's what is needed. Joe Sixpack expects home computers to "just work" and that's what Microsoft has delivered.

Until every Joe Sixpack is willing to educate himself on computer security all computers should be more difficult to use, not easier.

There is no "security product" for Layer 8 (1)

Chas (5144) | more than 4 years ago | (#31454700)

You can have your shit locked down 6 billion ways to Sunday.
The minute you introduce the human element into it, you have a massive security hole that can be patched, but NEVER closed.
You can train and train and train. Ennui sets in and their brains shut off after a while.
You can have the most draconian policies regarding proper usage. People will still circumvent it, accidentally or deliberately.
You can fire people. It just creates ill will and the damage is already done.
And, if it happens to be the owner of the company doing the circumvention there's jack and shit you can do about it.

I'm sorry, but anyone who tells you that security is about "keeping the bad guys out" is SELLING YOU SOMETHING (see: "How much for my large and stinky pile of crap?"). Nothing more.
Security is about putting enough roadblocks in place that attackers begin looking for easier targets so they can maximize their returns on time invested.
If someone wants into your systems bad enough, THEY WILL GET IN. Period.
The job of security is to make this interval as long as possible so they can maximize the chances of catching them before they get in or forcing them into something spectacular and HIGHLY traceable.

The industry must mature (1)

mewsenews (251487) | more than 4 years ago | (#31454704)

If you read "The Cuckoo's Egg", you will be both charmed and horrified about how quaintly computer security was regarded by the United States government in the early years of the Internet. The insane thing is that despite all the time that has passed since then, we still have lone basement hackers discovering tears in the fabric of the Internet like when Dan Kaminsky found his DNS flaw.

I believe the Chinese attack on Google has finally woken up a lot of very important people. I was stunned that Hillary Clinton added her voice to those asking the Chinese for answers.

I was also impressed by the Chinese attack -- state sponsored hacking is now explicit reality. "Cyber-warfare" is now reality. Countries have started accumulating and safeguarding their intelligence regarding electronic espionage.

It's not fun and games anymore. Kaminsky found a flaw in DNS from his apartment. We will never know if or which governments knew about it before Kaminsky went public.

Mr. Gaeta Was Even Hacked (2, Funny)

IgnacioB (687913) | more than 4 years ago | (#31454748)

We should feel lucky we don't have Cylons yet. They hacked 5 layers of firewalls in a matter of several minutes...and it took many episodes and a reboot via hot skin job sticking things into her arm before they finally removed all trace of the virus.

For the umpteenth time (1)

KGBear (71109) | more than 4 years ago | (#31454770)

NO technology will do your thinking for you. NO product will protect you if you don't know enough to protect yourself. Antiviruses, deep packet inspection, intrusion detection, etc: they are all useless - worse than that: they are expensive useless, designed more to make somebody else money that to protect the end user. The ONLY thing that will protect you is knowledge. When will people learn that if they want the benefits of modern technology, understanding it is not optional?

You expect Symantec to tell Microsoft what to do? (1)

argent (18001) | more than 4 years ago | (#31454836)

Or Apple... or Mozilla...

The biggest security problems are operating systems and applications that build in "exploit me harder" APIs and user interfaces like ActiveX and 'Open "Safe" files after downloading'.

Microsoft is the poster boy for this, with justification, but every browser company is guilty to some extent. There are no exceptions.

Maybe its time for segments? (0)

Anonymous Coward | more than 4 years ago | (#31454846)

Sometimes I've wondered if its time for businesses to have a backbone between them, similar to SIPRNet or NIPRNet. This wouldn't be an IP network, but have its own protocol, and the hardware transceivers would use SIM card functionality to encrypt stuff over the wire. Then, machines can be connected solely via this. This way, an intruder would have to hack a gateway box, find a way to get access to the target over the network backbone (machines on the same backbone can be configured only to communicate to clients or other B2B partners, and not just anyone via an enhanced host.allow/host.deny method), then find a way to start launching attacks against the machine proper. Another advantage is that an obviously compromised machine could be pulled off the backbone by an update of a CRL (the revocation certificate can be temporary until the admins can clean a box up, or permanent.)

Of course, there this idea is rough, and likely there a lot of security issues, but separating into different networks means an attacker has to first crack their way onto that network before they have access to a host. The biggest difference between this and IP based private networks is that the backbones are not IP based, so an attacker would have to compromise a machine that has both Internet access and access to the private network and either turn the machine into a bridge or gateway, or use the machine as a staging point for the private network attacks.

If one thinks about it, not all machines connected to the Internet really need Internet connectivity. A lot of servers only need connectivity to Internet facing machines, an internal update repository, and a server which does backups.

The penalties are not high enough... (1)

Dammital (220641) | more than 4 years ago | (#31454964)

... to act as a deterrent. The Mariposa perps face a maximum of six years under Spanish law. That's small enough to shrug off as the cost of doing business.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...