Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Stuxnet's Legacy: Get Back to Basics or Get Owned

samzenpus posted more than 3 years ago | from the all-your-files-are-belong-to-us dept.

Businesses 162

Gunkerty Jeb writes "Attacks such as Stuxnet, Operation Aurora or GhostNet are not what most enterprises and organizations need to be worried about. The plain fact is that most organizations are falling far short in protecting against the same threats that they've faced for the last 10 years. SQL injection, phishing, malicious attachments, social engineering. Old, every one of them. And yet, still incredibly effective at compromising networks in some of the best-known and theoretically best-protected companies."

cancel ×

162 comments

Sorry! There are no comments related to the filter you selected.

Security is hard (5, Insightful)

Anonymous Coward | more than 3 years ago | (#35293092)

No matter how much companies (and individuals) would like to pretend otherwise, security is really hard to do. It's not just a matter of having the right technology in place; people have to follow some inconvenient rules and exercise self control and common sense.

So we're always going to have some of these problems.

Re:Security is hard (1)

WrongSizeGlass (838941) | more than 3 years ago | (#35293142)

Exactly. Vigilance ... and trying to protect clients/users/family from themselves ... is the only way to be sure.

Re:Security is hard (2)

AvitarX (172628) | more than 3 years ago | (#35293186)

Sometimes the slow drag of being protected against oneself costs more than the risk being averted though.

For example, the cost of code generators to access bank accounts online in Europe surely prevents some fraud, but how much compared to the cost of every generator, and the inconvenience of not having access if you lose it.

Similar with active protection virus software not too long ago. It caused instability and slowed things down immensely.

Re:Security is hard (1)

Runaway1956 (1322357) | more than 3 years ago | (#35293626)

You might ask HBGary Federal about the costs involved. That's a story I'll be laughing about for the rest of my life. And, according to Anonymous, the key player in bringing them down was a 16 year old girl. Key words there are "16 year old". A youngster, probably not terribly sophisticated, probably somewhat nerdy, and almost certainly not terribly educated (yet, at least) social engineered an "expert" "security" firm with government connections. Oh yeah, the "girl" part has really got to chafe those big, arrogant macho men.

Re:Security is hard (3, Insightful)

Duradin (1261418) | more than 3 years ago | (#35293934)

Girls being used to social engineer men or using social engineering against men is as old as it gets. I'll leave it as an exercise for the reader to google up the reason why it works.

Re:Security is hard (1)

Flyerman (1728812) | more than 3 years ago | (#35294428)

The fact that she was posing as a man kind of negates all that.

Re:Security is hard (0, Insightful)

Anonymous Coward | more than 3 years ago | (#35293252)

Exactly. Vigilance ... and trying to protect clients/users/family from themselves ... is the only way to be sure.

if somebody needs to be protected from themselves i say fuck it, let them get 0wned. see if they ignore your advice next time. if they do it enters this beautiful category called not your problem. there is nothing cruel about that. you cannot help people who do not want to help themselves. you can only respect their decision.

everything that follows is hypothetical in nature. i do not advocate anybody actually do this. but if it happened anyway even though i do not advocate it, i will explain what the results would be.

in my personal opinion i almost wish somebody would just go ahead and make some truly destructive malware. something designed to spread for a little while and then securely wipe every last writable partition it can access. let it use already patched vulnerabilities only. that'd be the best way to take the insecure machines offline until their owners get a clue or hire somebody with a clue. i like that better than isps becoming the malware cops. i like that better than organized criminals having a steady supply of huge botnets to do their bidding and give them anonymity.

less pain for everybody involved that way. the irresponsible idiots don't turn into spam-spewing ddos-attacking botnet members and that benefits everybody else. the irresponsible idiots also don't have to worry anymore about keystroke loggers and other shit taking their financial details since those dont run so good on totally blank hard drives...

see folks that would be addressing the source of the problem. the problem has two aspects really. aspect one - people refuse to secure their systems and resent you for telling them that expecting them to be experts is unreasonable but they should at least do a little reading and attain at least basic competence. aspect two - the same people think "oh my computer is just slow these days" instead of realizing this is a problem they need to do something about NOW. malware designed to destroy as much data as possible that only uses security flaws they should have already patched is ideal for preventing the incompetent from inflicting their stupidity and laziness on the rest of us.

Re:Security is hard (0)

Anonymous Coward | more than 3 years ago | (#35293290)

You're quite then douche bag aren't you? We can only hope you fall victim to some "truly destructive malware". I wasn't in favor of "truly destructive malware" but now I am if it means you get hit with it. Thanks for the perspective.

Re:Security is hard (1)

Anonymous Coward | more than 3 years ago | (#35293542)

You're quite then douche bag aren't you? We can only hope you fall victim to some "truly destructive malware". I wasn't in favor of "truly destructive malware" but now I am if it means you get hit with it. Thanks for the perspective.

we've tried coddling them. we've tried telling them to update. we've tried being "the computer guy" and letting them take up our free time while we remove their preventable malware infection for the Nth time. where has that gotten us? oh yeah, rampant malware everywhere and a ready supply of botnets for online criminals to spam, threaten, ddos, steal financial data and otherwise harm everybody else. you find that acceptable? you are more concerned somebody might get their feelings hurt by feeling their own irresponsibility?

somethin's gotta give. the sheeple need a wake-up call in my opinion. the malware authors understand one thing very well - a good parasite does not wipe out its host. they learned that from every other parasite in nature. what we need is a bad parasite. overnight average joe sixpack users will start to insist on security.

instead of calling me names tell me what you prefer. would you rather government make you have to get a license to use the internet like they do now with cars? would you rather the security situation keeps getting worse and online criminals keep prospering? what we are doing now isn't working. it is not even reducing the problem and has no hope of solving it. only an insane person wants to keep trying the same thing expecting a different result.

we tried all the easy ways. they all have one drastic flaw - they require average users to give a damn. that is why they have all failed. obviously average users wont start giving a damn and looking after their own damn interests without a fire lit under their asses. they resent every suggestion that they take responsibility for their systems, they actively resist learning anything new. far as i am concerned they reap what they sow. i have no sympathy for people who are their own worst enemy and if you really have such a big heart then you don't support someone's maladaptive behavior in the name of kindness.

Give a damn (3, Insightful)

Runaway1956 (1322357) | more than 3 years ago | (#35293674)

Thank you, Anonymous Coward. You've helped me to figure out exactly why Linux is more secure than Windows. It isn't the operating system. It isn't the user. It isn't any application, set of applications, or combination of utilities. It's right there in your post. "average users wont start giving a damn" For the most part, Linux users are those who give a damn. The attitude - nothing more, nothing less. You've got to give a damn, or the best system is just a non-secure mess of code!

Re:Give a damn (5, Insightful)

causality (777677) | more than 3 years ago | (#35294552)

Thank you, Anonymous Coward. You've helped me to figure out exactly why Linux is more secure than Windows. It isn't the operating system. It isn't the user. It isn't any application, set of applications, or combination of utilities. It's right there in your post. "average users wont start giving a damn" For the most part, Linux users are those who give a damn. The attitude - nothing more, nothing less. You've got to give a damn, or the best system is just a non-secure mess of code!

I would add that there are reasons why systems like Linux appeal so much to this kind of user.

The biggest single one is that it doesn't assume you're an idiot. The system is built for users who intend to gradually become more and more familiar with how their systems work and how to maintain them. Users who traverse the learning curve at their own pace are rewarded with more and more ability to assume control and enjoy a system that does what they want the way they want to do it. You can also peek under the hood and see for yourself how things really work, with your skill level being the only limit. Generally things are made as simple as possible but no simpler, unlike Windows.

I would not classify Windows as easy to use, myself. I would call it easy to learn. Linux is quite easy to use if you have learned it. Learning how to use it is a one-time investment that continues to pay off. You can learn all about Windows but that won't make it much more convenient to automate, won't stop it from getting in your way whenever you try to do something advanced, and it won't stop it from trying to make you do things the way Microsoft intended.

The culture around Windows tends to encourage treating it like a black box and memorizing a set of steps to take in order to accomplish a specific task. The culture around Linux and Unix tends to encourage actually understanding how and why the tools work.

Linux also tends to be logical and predictable, the way you'd expect a machine to function. If something breaks, it broke for a good reason. It will stay broken until you fix it. When you fix it, it will stay fixed. You can actually get a meaningful error message that really does help you identify and isolate the problem. Windows has come a long, long way on these two points but it has yet to match the elegance of Linux and Unix. It's also helpful that all of the important configuration ultimately resides in plain text files. There is no opaque single point of failure like the Windows registry, which is a binary database that tends to become a mess over time.

I'd also say that the package management systems that come with Linux distros are vastly superior to the way software is acquired and installed on Windows. Instead of each third-party program having to chase down its own updates, often popping up nag screens requiring the user to complete the final step, you can update every last piece of software on your system with a single command. It's neater, less error-prone, and frankly less annoying. That counts for a lot considering how important it is to keep your system updated, considering how many Windows machines are compromised by exploiting already-patched vulnerabilities. Unfortunately I do not believe central software repositories would be possible on Windows, as the proprietary licenses of most Windows software would not allow third parties to redistribute them.

The users contributing the most to the rampant security problems are what I call permanent newbies. They hate learning new things. Somehow, they can use a tool for ten years without ever knowing much more about it than when they started. They don't even pick up knowledge here and there over time, let alone would they actively study anything. It is like they are too proud to do that. Asking them to do a bit of light reading for their own good is like asking an aristocrat to "fraternize with the help". It is a mentality to which I cannot easily relate. I cannot name anything non-trivial I do on a daily basis that I never learn new things about as I acquire more experience.

Re:Security is hard (2)

PaladinAlpha (645879) | more than 3 years ago | (#35293550)

Yeah, I mean, I think they should make cars that blow up if you don't check the oil, belts, timing belts, brakes, transmission, coolant, tires, hoses, spark plugs, wires, distributor caps/rotors, and air filters precisely at the best mileage for each! That way, people who refuse to help themselves by daring to drive a car without knowing the full maintenance schedule (and implications of missing parts of it) will be taken out of the education. Those stupid, incompetent, lazy people.

Re:Security is hard (0)

Anonymous Coward | more than 3 years ago | (#35293908)

Yeah, I mean, I think they should make cars that blow up if you don't check the oil, belts, timing belts, brakes, transmission, coolant, tires, hoses, spark plugs, wires, distributor caps/rotors, and air filters precisely at the best mileage for each! That way, people who refuse to help themselves by daring to drive a car without knowing the full maintenance schedule (and implications of missing parts of it) will be taken out of the education. Those stupid, incompetent, lazy people.

Yeah, I mean, I think they should make cars that blow up if you don't check the oil, belts, timing belts, brakes, transmission, coolant, tires, hoses, spark plugs, wires, distributor caps/rotors, and air filters precisely at the best mileage for each! That way, people who refuse to help themselves by daring to drive a car without knowing the full maintenance schedule (and implications of missing parts of it) will be taken out of the education. Those stupid, incompetent, lazy people.

wiping the data on a hard drive doesn't make the computer explode. nice try at melodrama Sparky. typical slashdot bullshit - "I don't like what you said and instead of formulating a rational argument i'll just go all emotional". excellent strategy sir.

funny you should mention cars. government regulates those actually. the government requires periodic inspections for your car to verify that it is in good working order before they will allow you to put it on public roads. there are punishments for those who will not comply, usually fines. they acknowledge the problem and that is their solution for it. now most people are not auto mechanics so they hire mechanics to take care of this for them. likewise most people are not skilled computer techs but guess what, computer shops are full of people they could hire someone to secure their systems.

they cannot be bothered and that's the problem. why don't you face it? why can't you acknowledge that people taking care of their computers like they do their cars would all but eliminate the problem? why won't you admit that they choose not to and that's the only reason they don't? truth hurts that much when it interferes with your misplaced sympathy?

for computers i acknowledge a similar problem to the one you mention concerning cars and look at the denial everybody shows. what's the matter, the facts aren't what you wanted to hear so you'll blame the messenger? tell me, when you bury your head in the sand like that do you prefer full immersion or partial?

mark my words this problem is only getting worse. it will need a solution. government is only too happy to provide one. they love nothing more than a crisis that is solved by expanding their powers. that's a lot worse than allowing the incompetent to suffer from their incompetence for as long as they refuse to address their incompetence.

it is amazing how much vitriol there is against anyone suggesting that people who are irresponsible and stupid despite years of warnings and advice should be allowed to suffer the results of their irresponsibility and stupidity, the same results they'd otherwise be inflicting on others (botnets are not fun). what gives them that right? if you want to reject personal responsibility make your case for it. you won't because you can't. i doubt you even realize that personal responsibility is what you are resisting.

Re:Security is hard (1)

Thexare Blademoon (1010891) | more than 3 years ago | (#35294248)

I support personal responsibility. Stupid people often get what's coming to them.

That said, sir, you are still an arrogant, insufferable cunt.

Re:Security is hard (1)

PaladinAlpha (645879) | more than 3 years ago | (#35294556)

A computer having its available data indiscriminately wiped is a comparable disaster to a catastrophic car failure in the amount of disruption it can cause. You are consummately guilty of not thinking about the implications of what you advocate, and in the classic manner are attempting to shout down anyone who might expose flaws in your reasoning.

Now, you've extended the analogy farther than it was originally grown, and in doing so invalidated it. Computers are not cars. Routine maintenance on a computer will not keep it in working order in the same manner as a car. An engine's enemy is entropy. Your computer's enemy is far more insidious, if a bit less relentless.

There is no 'routine maintenance' that can be performed on computers to safeguard them. There is no simple five-step program that any person can follow. The closest you can get is mass-market virus scanners and the like, and while those might stop 90% of the problem -- at considerable cost to the host environment -- the 10% remaining is the worst 10%. There isn't a period of warning with computers like there is with cars -- indeed, it's much the opposite. Once you've noticed a problem it's far too late. Preventive security on complex systems is hard.

Your talk of responsibility is immature nonsense. No one is resisting responsibility. But your stance to 'solve' this problem is to say, well, just make everyone responsible for everything -- we'll take every person in America and make them get a four-year degree in system security, and then if anything goes wrong we'll have someone to blame it on! If anyone doesn't bother putting themselves through the highest level of education specifically on the topic of securing their systems, then they should obviously lose their data! It's a complete denial of reality.

So, tell me, is this how you feel about your banking institution? You really don't care if they are breached if they 'learn their lesson'? Your health care provider? Your employer? Your daughter? Do you really believe that data is only valuable to the person that possesses it?

We're all living in the Real World, and your views will someday -- when you're older, no doubt -- incorporate that. For now, you've built up some oversimplified model of society, and its application is not only undesirable, it is completely unfeasible.

Re:Security is hard (1)

khallow (566160) | more than 3 years ago | (#35293700)

if somebody needs to be protected from themselves i say fuck it, let them get 0wned.

[...]

. if they do it enters this beautiful category called not your problem.

Unless you need to be protected from their actions as well say because they're introducing malware onto your network that you need for your job. Then it enters an ugly category called "your problem".

Re:Security is hard (2)

commodore6502 (1981532) | more than 3 years ago | (#35293338)

>>>trying to protect clients/users/family from themselves ...

(takes scissors to ethernet cable leading into generator, centrifuge, etc) SNIP. Okay it's secure. Never should have been on the internet in the first place.

Re:Security is hard (3, Interesting)

dudeman2 (88399) | more than 3 years ago | (#35293562)

Actually, those centrifuges were never on the public Internet. Stuxnet was cleverly designed to infect the workstations running Step 7 PLC programming software, hijack the communications with the PLC to install its payload on the PLC. I don't know if the Step 7 workstations were on the Internet either; they may have been infected by sneakernet - USB keys, CDROMs, and the like.

Re:Security is hard (2)

John Hasler (414242) | more than 3 years ago | (#35293836)

I don't know if the Step 7 workstations were on the Internet either; they may have been infected by sneakernet - USB keys, CDROMs, and the like.

Rumor has it that USB keys were scattered in the parking lots.

Re:Security is hard (0)

Anonymous Coward | more than 3 years ago | (#35293830)

Comments like this only come from people who have never actually worked on SCADA systems.

Now, I'd agree there should be 1 or more firewalls between the SCADA devices & the general user network, and at least 1 more firewall between the users and the Internet. But to say that these devices have no reason to be on the network is ignorant.

especially for idiots (0)

Anonymous Coward | more than 3 years ago | (#35293160)

ya know like hollywood

Re:Security is hard (2)

MstrFool (127346) | more than 3 years ago | (#35293262)

No kidding. The only perfect security just happens to lock out all legitimate users as well. So long as some one can access the info, then some one else can find a way in as well, the more people that need to be able to access it, the more ways in there will be. It doesn't help that traditionally, security tends to be the lowest item on the list. Need to save money, most companies will skimp on security before they will skimp on janitorial. Guess they want to be sure the place looks nice for any one that breaks in. Same goes for computer systems. The order of importance seems to be, Make it look nice, Make it simple to use, Make it work, and make it secure. Sadly, it pays off to work it that way. If it looks good, people assume any problem with it is their own fault and not the program. Make it simple and most people don't realize just how few options they have and just how little they can really do with it. Make it work, well, folks expect problems and blame them selves, so we can fix the bugs later. Make it secure, but don't do anything that prevents to legitimate users from doing what they should... Good luck on that. Best example of how people react to a company making an attempt at doing the right thing and getting hammered for it is, and I /really/ hat to say this, but... Microsoft and their access controls in Vista/win7. They started to do it right and put in real security, and people went ballistic. Problem is, people didn't get pissed that it only locked the user out and let hackers through, they got pissed that it asked them before just doing things. Now, I'm not saying it couldn't be done better, it could have. But look at what people complained about, 'it's in the way', not 'it's insecure'. Right there shows why things will never be secure. People want convenience, not security, and people are the ones that pay for the work.

Re:Security is hard (1)

Anonymous Coward | more than 3 years ago | (#35293396)

My issue with Vista was simple, I don't need to be asked 3 or 4 times if I'm sure i want to open Windows Explorer in a manner that will allow me to view/modify my system as I see fit. Like it or not, once it's installed it is my computer and my Operating System(License), while security is important, if that security is circumvented I should be able to modify ANY file or directory structure on my computer as needed to remove said security breach. If I don't have access to do that due to something you've put in, you are do nothing but exacerbating the problem.

Re:Security is hard (2)

RichardJenkins (1362463) | more than 3 years ago | (#35293280)

But SQL injection vulnerabilities are pretty easy to avoid. I'd say in the general case SQL injection problems point are a good indication to avoid a company.

If you inadvertently allow malicious access to your DB via SQL injection - fine. Just don't fib by saying your company should be taken at all seriously when considering their security credentials.

Re:Security is hard (1)

Anonymous Coward | more than 3 years ago | (#35293822)

I'm what they call a "white hacker". I inject SQL with marshmallow filling turning computers into Twinkies.

Re:Security is hard (1)

blair1q (305137) | more than 3 years ago | (#35293334)

Security is only hard to do if you don't know what you're securing.

Code is fractal and dense. It's an implosion of vulnerability.

Think of it instead as a building with a hundred doors. You know you can secure all those doors. But open one and behind it are a hundred more. Okay, so you can secure the first hundred, you can secure these. But behind these may be more doors, and you don't know which doors where are unlocked and can allow the outside world in.

The only way to handle this situation is to ensure your entire building is known to you, and that you have a way to check every door to be sure it's locked.

But the way people code with any efficiency is to import a whole new building behind a few new doors, thus bringing in a non-finite expansion of your insecurity.

Efficiency in coding is therefore the enemy of security in coding. Until we get back to the nuts and ensure that we can know where all the doors are and that we can check them to be sure they are all locked.

Re:Security is hard (1)

postbigbang (761081) | more than 3 years ago | (#35293452)

No. It's not that tough. You make it out to be layering against different kinds of vulnerabilities. It's much different than that.

You have an OS with its faults, access RPC with its faults, code with its faults, and libraries with their faults. You can control only parts of this in your code. The rest is choosing solid OS and RPC support, and libraries with known code and behaviors.

Then you build parsers with as much concrete as you can, update platforms, rinse, repeat.

Re:Security is hard (1)

blair1q (305137) | more than 3 years ago | (#35294208)

Then someone comes along and finds bug #32,767 in the browser you trusted, lathers you up, and repeats all over you.

Doors inside of doors, because "solid OS and RPC support" is a hall of doors you just tacked on because someone selling it said "uh, yeah, sure. it's secure..."

Re:Security is hard (1)

postbigbang (761081) | more than 3 years ago | (#35294378)

Then the solution is something like your own cut of BSD, linted of all extraneous code, hardened kernel, with your own control of your own written RPC APIs.

Re:Security is hard (0)

Anonymous Coward | more than 3 years ago | (#35294494)

Problem #1 here is the constant reinvention of the wheel that seems to be going on. Heck, we can't even decide on a browser right now and we're resigned to saying "Oh well, I think we 'need' 8 browsers in our ecosystem" so it's really security through obscurity again. Throw some weight behind a single piece of code and make sure it stands up to an audit. If you can't audit it, then it's useless (sorry M$, no cookie for you).

The constant OCD approach to running off and building yet another program that fails to address the problem is not a way to develop software; it's ill-intentioned ego stroking with a smattering of irresponsibility. You can't sell security (think of the TSA) so no solution on the market is going to address the problem.

Lets all throw our PCs away and start again, I have this idea for a new type of home computer...

Re:Security is hard (1)

dkleinsc (563838) | more than 3 years ago | (#35293400)

Some things really aren't hard, though: There are plenty of well-known programming practices that make SQL injections and XSS attacks a thing of the distant past.

What is absolutely true in your post is that any company that says "buy this security product and you'll be perfectly safe" is talking nonsense. And yes, I'm including McAfee and Symantec in that kind of company.

Re:Security is hard (1)

grumbel (592662) | more than 3 years ago | (#35293912)

There are plenty of well-known programming practices that make SQL injections and XSS attacks a thing of the distant past.

And that is part of the problem. A lot of security is still only based on "good programming practice" and while it really should be just giving the user a compile errors.

Re:Security is hard (1)

flappinbooger (574405) | more than 3 years ago | (#35293468)

Yes, security is inconvenient. I even have a hard time getting organizations to use passwords longer than 3 characters, let alone "complex" and expiring once a quarter. More than one password?!?!?!? It's a disaster. Can't put up with it. Not gonna happen.

I think implementing biometrics is the way to go, swiping a finger is much easier than typing. Also don't have to remember it or write it on the post-it note stuck to the monitor.

Common sense? Well, social engineering is one of the biggest security holes, but I think a hacker would have a hard time with some people I've ran into because they probably wouldn't understand his social engineer questions.

"What's your password?" "You mean the thing I type in first in the morning, or the thing I type in later when I want to fire up the hard drive?" "uhhhh.... The first one?" "Hold on... Mabel! What do I type when I come in? P .. A .. S .. S... W .. O ... R... D... What was that last part Mabel? P.... A .... No, not that, The first thing I type!" "!@$#!@#! .... click."

Re:Security is hard (1)

Andy Dodd (701) | more than 3 years ago | (#35293532)

I forget who to attribute it to, but the quote "There is no patch for human stupidity" remains as appropriate as it ever did.

Re:Security is hard (3, Insightful)

PhilipTheHermit (1901680) | more than 3 years ago | (#35293708)

There are a few things you can do, though:

1) Don't let your developers go berserk with their framework of choice. Standardize on something company-wide, thoroughly audit/evaluate it as a platform, assign staff to maintain and patch it, and train everyone else on how to securely develop for it. I know corporations hate to train or otherwise improve their staff, but at some point they're going to have to bite the bullet.

2) Build an internal team and use them for your development needs. Mentor them, build institutional knowledge, have a succession plan in place. Stop contracting everything out to the other side of the planet and then feigning surprise when it falls over in the first stiff wind.

3) SIMPLICITY IS YOUR FRIEND. Don't let your developers make your site complex because they want to work with a cool framework or show off their skills. Do design reviews and simplify, simplify, simplify.

4) Treat all new developers as apprentices, and make them work under a "journeyman" for their first year (usually their probationary period) until they prove themselves and have learned how you do things.

It's not rocket science, it's common sense. Well... Common among older programmers, anyway.

Re:Security is hard (1)

mlts (1038732) | more than 3 years ago | (#35293890)

Three words: Defense in depth.

A company can't depend on one single thing for their security. These days, it does take network security, host security, having policies in place that people follow, and periodic (scheduled and unscheduled) audits/pen tests. Without all these, it is only a matter of time before a blackhat easily gets their way in.

This doesn't mean paranoia, but it also means that one can't hide their head behind a fence and expect a blackhat not to target the derriere that is exposed.

Not so much "hard" as "lazy won't make it". (1)

khasim (1285) | more than 3 years ago | (#35294004)

Basic security is easy. Very easy. It's just not convenient.

The problem is that people are lazy. Even if it is easy, they want it convenient for them.

And when it becomes convenient for them, it becomes convenient for the crackers.

The more convenient for your users, the more convenient for the crackers. It's linear. If your users can access your systems from anywhere in the world, so can the crackers.

As seen with the HBGary crack.

Re:Security is hard (1)

hairyfeet (841228) | more than 3 years ago | (#35294344)

Not to mention how badly we humans like to latch onto what I call "magical thinking" which is "If we have (insert product or technology) then we'll be safe!". You'd be surprised how many times I've walked into some SMB or large office and found a totally pwned network where they were just shocked! shocked I tell you! that the magical McGuffin they had based their entire security on had failed them. Hell there is a troll on this very website that subscribes to magical thinking with regards to HOSTS files and thinks they will magically protect him from all malware.

The simple fact is that NO OS, security technology or other magical McGuffin can take the place of good old fashioned best practices, with a top to bottom least privilege layout and sensible security policies. But all of that is hard, takes constant work, costs money, and is hard to explain to a PHB so in walks these companies offering magical thinking which sells like hotcakes right up until a company gets pwned.

Re:Security is hard (1)

gbjbaanb (229885) | more than 3 years ago | (#35294512)

yes, security is hard to do, so we need to find alternative ways to protect the everso fragile code we run.

One suggestion I've seen is walling it off in 'fortresses'. Ie you do not directly run sql from code running in the web server, instead you pass fixed requests through to a back-end server process through a well-defined and small interface and have that run the sql (that you do not pass in as a parameter).

Even this is not going to be perfect, but it'll reduce the attack surface significantly. Too bad most programming frameworks and environments are geared up for exactly the wrong 'whatever is the easiest way to code' system. So yes, self-control and common sense.

English (0)

Anonymous Coward | more than 3 years ago | (#35293096)

Slashdot editor's legacy: Get back to english class or get owned

Old, every one of them (-1)

Anonymous Coward | more than 3 years ago | (#35293106)

Hell. Social Engineering is older than my knees and prostate combined!

This is more of an open problem (3, Insightful)

IgnitusBoyone (840214) | more than 3 years ago | (#35293118)

Well, the problem with most of these is even if you know about them it only takes one lazy employee to introduce them. So, its hard to be 100% vigilant against the threats and because it only takes one crack to break the damn, this makes it impossible for most security companies to improve.

Of course it still works (1)

russotto (537200) | more than 3 years ago | (#35293124)

Just because you can put a label on something doesn't mean it's simple or easy to defend against. SQL injection, yes. But phishing, malicious attachments, and social engineering aren't easy or simple to defend against. Well, you can get rid of malicious attachments by getting rid of all attachments, but even if that's practical, it leaves the rest.

Meh (1)

Dunbal (464142) | more than 3 years ago | (#35293128)

Maybe one day people will take little Bobby Tables [xkcd.com] seriously. Frankly there is no excuse for stupidity. But you must bear in mind also that we will never run out of stupid people.

Re:Meh (1)

ArhcAngel (247594) | more than 3 years ago | (#35293316)

Here's [youtube.com] your sign [amazon.com]

Perspective (4, Insightful)

TheRealMindChild (743925) | more than 3 years ago | (#35293134)

SQL injection, phishing, malicious attachments, social engineering. Old, every one of them.

And every one of them gets learned the hard way by the new batch of up-and-comers. It isn't like the average knowledge of us IT folk has gotten any bigger. Old, season folks leave, and new, green folks join. Also, management.

Re:Perspective (2)

Dunbal (464142) | more than 3 years ago | (#35293166)

Gee, here's a thought: old, seasoned folks one day will pass their knowledge down the line to the new generation. We can call it "education". Heck, we might even be able to charge money for it!

Re:Perspective (1)

MozeeToby (1163751) | more than 3 years ago | (#35293216)

Shouldn't it be possible for the old seasoned professionals to write libraries and tools that make SQL injection all but impossible? Then all you have to do is convince the green new up and comers to use the existing tools. Only downside is that the newbies don't learn the lesson, but this particular lesson is pretty costly to learn the hard way.

Re:Perspective (2)

somersault (912633) | more than 3 years ago | (#35293304)

The best solution is, as always, in between. You don't want people in 50 years time having no clue how to write a secure database library.

Re:Perspective (5, Insightful)

Rary (566291) | more than 3 years ago | (#35293346)

Shouldn't it be possible for the old seasoned professionals to write libraries and tools that make SQL injection all but impossible? Then all you have to do is convince the green new up and comers to use the existing tools. Only downside is that the newbies don't learn the lesson, but this particular lesson is pretty costly to learn the hard way.

In IT, there is this general belief that the seasoned professionals, also known as "old timers", are filled with antiquated and useless knowledge, while the green newbies, also known as "cutting edge fresh talent", know all the whiz-bang new way of doing things.

Sometimes, this is true, but sometimes it is not. As long as we continue to view this industry as being one that changes so rapidly that everything learned last week is obsolete, we will continue to make the same mistakes and reinvent the same flawed wheels.

Re:Perspective (0)

Anonymous Coward | more than 3 years ago | (#35293376)

They can't 'use the existing tools' because there is always a mandate to 'update the technology.' That usually means replacing well working code with obfuscated OOP, rewriting in Java/.Net/language of the day, etc. I lament now and then about updating the technology just for the sake of updating the technology and the PHB's without insist that isn't the mandate. I rarely see a business case for the updates. On the rare occasions I do see a business case if's full of nonsensical 'evangelist' lingo (see Agile, OOP, etc).

Re:Perspective (1)

Barefoot Monkey (1657313) | more than 3 years ago | (#35293972)

Shouldn't it be possible for the old seasoned professionals to write libraries and tools that make SQL injection all but impossible? Then all you have to do is convince the green new up and comers to use the existing tools. Only downside is that the newbies don't learn the lesson, but this particular lesson is pretty costly to learn the hard way.

It's not only possible, but it's already done in the case of stored procedures and prepared statements. When a newbie first arrives, inform him that his code should access the database using stored procedures and that when he absolutely has to construct statements directly then those statements must be prepared and never constructed from user input. No more SQL injections. If the newbie ever takes a moment to stop and consider why that rule is there then he will most likely (I hope) learn the lesson for himself through contemplation.

Re:Perspective (0)

Anonymous Coward | more than 3 years ago | (#35294016)

Shouldn't it be possible for the old seasoned professionals to write libraries and tools that make SQL injection all but impossible?

Yes, it's called using a damned prepared statement. You have to use the damned library if you want it to do any damned good. I wouldn't want a language stopping me from string concatenation, which is how this crap happens. I will never understand why people don't use parametrized prepared statements, then act like preventing SQL injection is some magic voodoo that can only be done with extensive, magic RegExps and extensive input washing that true wizards know. Just use parametrized prepared statements!

Re:Perspective (5, Interesting)

COMON$ (806135) | more than 3 years ago | (#35293284)

Now this is a mixed message because coming up through the IT field it was the old timers causing the security problems. "What? I have to clean my inputs? This is the way I have always done it and this is how I am going to keep doing it" as well as "bah, our company is not a target".

Now it is 10 years after I entered the field full time, things are FAR FAR FAR FAR FAR better. Yes there are still old sites out there, there are still companies that don't update their security because they are struggling to keep the lights on. But seriously as opposed to 10 years ago, Infosec is widespread, companies have security training seminars for employees, Pentests are a regular phenomenon. This increased security is largely because those of us who grew up with tech, intentionally went into the field, and really enjoy the work are now getting to the 10-15 year range on experience and fixing all the damn problems our predecessors set before us. All the while doing our best to defend against the up and comers who are trying to push out projects as fast as possible to pad their resume.

Social Engineering (2)

arth1 (260657) | more than 3 years ago | (#35293136)

I thought phishing was a type of social engineering?

And social engineering isn't a technical problem likely to be "fixed" - it's a continuous education of users that can never be considered done or even successful.

Re:Social Engineering (1)

IgnitusBoyone (840214) | more than 3 years ago | (#35293260)

I don't know if we can educate people in social engineering unless getting scam becomes a basic part of our education system and upbringing. I mean its the natural abuse of common human behavior. A 2 hour seminar isn't going to cut it for most people.

phishing, malicious attachments, social engineerin (2)

Culture20 (968837) | more than 3 years ago | (#35293150)

If you fire the dummies, they just end up at someone else's company (and you get other companies' dummies. Ain't no technical fix for stupid, son.

Won't get fixed in this release... (0)

Anonymous Coward | more than 3 years ago | (#35293158)

Fact of the matter is:
        - Maintaining security is a cost
        - Security breaches are not a cost

Corporate policy dictates "costs are bad", ergo there's zero incentive to fix this until it's regulated.

Have a nice day.

Re:Won't get fixed in this release... (1)

AvitarX (172628) | more than 3 years ago | (#35293222)

As a customer I want cost minimized too though. If regulation increases overall cost the cure is worse than the disease.

Cost of a breach can be shared by more than the prevention though, which would be a case for regulation to step in, as total cost could go down, even if corporate cost goes up.

Re:Won't get fixed in this release... (2)

Dunbal (464142) | more than 3 years ago | (#35293250)

As a customer I want cost minimized too though. If regulation increases overall cost the cure is worse than the disease.

I'll just whip those Chinese children a little harder to increase production a few more percent so that you're happy.

Re:Won't get fixed in this release... (1)

AvitarX (172628) | more than 3 years ago | (#35293272)

Cost of being whipped is an expense to the children. The regulation could reduce over-all cost of the system, which in the end is what I want as a consumer.

Re:Won't get fixed in this release... (1)

benjamindees (441808) | more than 3 years ago | (#35293558)

I suppose it could reduce overall cost if there weren't new, different externalities built right into the regulations. Just like subsidizing subprime borrowers "could" have reduced the overall cost of housing, in fantasy land.

Re:Won't get fixed in this release... (1)

Dunbal (464142) | more than 3 years ago | (#35293232)

If this were true, then you would expect corporations to ignore labor laws, tax laws and pretty much every other rule and regulation from how many toilets per employee to what goes in the First Aid kits. Yet somehow corporations manage to comply with all these little rules and regulations despite the fact that doing so involves a cost. Therefore I don't think the argument is as clear cut as you make it. Now on the other hand if you want to argue that the guy in charge of hiring the techs in the IT department has no idea what security is and is relying on junior employees to "provide" security, then I am all for you.

Re:Won't get fixed in this release... (1)

screwzloos (1942336) | more than 3 years ago | (#35293598)

If this were true, then you would expect corporations to ignore labor laws, tax laws and pretty much every other rule and regulation from how many toilets per employee to what goes in the First Aid kits.

This is absolutely the case where the cost of complying with the law is greater than the cost of the punishment for being caught. Realistically, only the regulations with sufficiently heavy penalties are adhered to, particularly for small business. Run things with strict compliance to every knit-picking rule in every book, and the competition is going to run you into the ground.

Re:Won't get fixed in this release... (1)

Darth_brooks (180756) | more than 3 years ago | (#35293248)

Fact of the matter is:

        - Maintaining security is a cost

        - Security breaches are not a cost

Corporate policy dictates "costs are bad", ergo there's zero incentive to fix this until it's regulated.

Have a nice day.

Recovering from breaches are a cost. A huge cost. A cost that keeps on drawing, thanks to negative publicity, pissed off clients, lawsuits, turnover. Sadly, the only way to prove that for some folks is to get hacked. The nice thing is that, as more and more hype mach......media coverage gets out regarding large intrusions, the more likely the people in charge are to sit up and take notice.

Re:Won't get fixed in this release... (1)

blair1q (305137) | more than 3 years ago | (#35293374)

Then think of it this way:

Maintaining security of something you don't understand is NP-hard, at best.

Securing a breach is finite.

The first is an unjustifiable cost. The second justifies itself.

Yes, this is as much a failing of corporate thinking as it is of software security design.

Re:Won't get fixed in this release... (1)

benjamindees (441808) | more than 3 years ago | (#35293656)

That's more like it. Maintaining security is a definite, present cost. Securing a breach is a potential cost and, at worst, a future cost. Corporations tend to ignore potential costs. And they will always discount future costs. The first is because, if they didn't, their competitors would, and would grow faster than they do, secure more investment, capture economies of scale, and put them out of business. The second is because, thanks to institutionalized wage slavery, future costs will always be less than present costs.

Re:Won't get fixed in this release... (0)

natehoy (1608657) | more than 3 years ago | (#35293862)

Really? Then why is there still a line at Hannaford when I go to buy my food? Shouldn't the bad publicity have driven everyone to Wally World and Shaw's? Oh, wait, my options are terrible produce or paying more for my food? Well, Hannaford it is, then.

Good thing you never see anyone at the BP fuel stations any more! Man, the publicity of screwing up oil extraction really... ummm... oh, wait.

Some people remember stuff like this for a long time and use it as their primary criteria and avoid the company forever (several friends of mine still boycott Nestle over the third world formula fiasco, and Nestle caved and that boycott fizzled out before the average Slashdot reader was born).

Some people forget stuff like this immediately, or engage some sort of strange Stolkholm-syndrome type thing. I have a friend who now goes to Hannaford because he feels sorry for them. No, I can't figure it out either.

The rest of us have equally rational (to us) and irrational (to others) reasons for preferring or avoiding certain businesses. A hack or a huge screwup is rarely fatal to a business. Being behind the competition because you spent all your time dotting the "i"s and crossing the "t"s of every little security detail is a far larger nightmare to your average C?O.

Fear of being hacked makes a C{E,I,O,F}O nervous.

Fear of being irrelevant is what keeps them up at night.

Nothing to do with Stuxnet (0)

Anonymous Coward | more than 3 years ago | (#35293178)

Attacks such as Stuxnet, Operation Aurora or GhostNet are not what most enterprises and organizations need to be worried about

So, in other words, we just put that in the title to drum up hits.

Stuxnet had nothing to do with SQL injection, phishing, or email attachments. It may have used social engineering, or it may have been introduced by a covert human agent.

GODDAMN !! WHERE IS THE QUEUE FOR THIS APPLE !! (-1)

Anonymous Coward | more than 3 years ago | (#35293184)

I want it and I want it NOW !! Dunno why... but I want it and I want it NOW !! GODDAMN WHERE IS THE FUCKING QUEUE !!

Re:GODDAMN !! WHERE IS THE QUEUE FOR THIS APPLE !! (0)

Anonymous Coward | more than 3 years ago | (#35293408)

Wait a few days and you can be sure there will be a Slashvertizement telling you where to go. All things Apple is good for page views, hence, ad revenue. I liken these to multi-car crashes, or train derailment, but some it seems like to read about it here, a few days late. Blimey!

The problem is people (1)

Drakkenmensch (1255800) | more than 3 years ago | (#35293202)

Anyone who would willingly give their banking info to the nigerian prince should have all of his office network passwords revoked instantly for being a moronic security threat.

Another take (2)

U8MyData (1281010) | more than 3 years ago | (#35293204)

I see a lot of comments about "dummies." Management needs to take a look at themselves as well. They hold the purse strings and the power of decision. In cases I have been exposed to, it's not the admins that are dropping the ball, it is the people making the decisions about things they do not appreciate or understand. Don't get me started on the overwhelming and pervasive attitude of users, "you mean I have to remember my password!?!"

Re:Another take (0)

Anonymous Coward | more than 3 years ago | (#35293258)

...about "dummies." Management needs to take a look at themselves as well....

The difference is?

Seriously, business acumen != security knowledge.

Re:Another take (0)

Anonymous Coward | more than 3 years ago | (#35293578)

Seriously, business acumen != security knowledge.

Slightly less succinct, leadership knowledge == assumption of security knowledge == ignorance of ignorance of security knowledge == Aaron Barr...

Re:Another take (1)

blair1q (305137) | more than 3 years ago | (#35293710)

That's what your competitors hope.

Re:Another take (2)

mcmonkey (96054) | more than 3 years ago | (#35294204)

I see a lot of comments about "dummies." Management needs to take a look at themselves as well. They hold the purse strings and the power of decision. In cases I have been exposed to, it's not the admins that are dropping the ball, it is the people making the decisions about things they do not appreciate or understand. Don't get me started on the overwhelming and pervasive attitude of users, "you mean I have to remember my password!?!"

As a user, don't get me started on admins & devs dropping the ball, making decisions about things they do not understand.

I spent 2 hours this week changing passwords for my work systems. I had 15 sets of credentials to update. Not all those systems are on the same 90-day expiration schedule as my main network ID, but I like to change them all at the same time. Otherwise, I'd never be able to keep my passwords straight.

And by 15 sets of credentials, I mean the user name is not the same for all of them, and for none of them was I able to choose my own user name. So that's 15 different combination of user names and passwords. And there is a 16th system I wasn't able to update because I don't remember the user name.

Some of these systems I rarely access. There's the company travel center and expense reports systems. I travel for business about once every 18 months. There's the benefits system I access once a year to update insurance information. I log on to those systems every 90 days to update passwords.

So here's our options: I write down my passwords. (Which of course is a big No No) I use the same password for all those systems. (Another big No No) I remember 15 different passwords, some for system I only access 4 or 5 times per year. (Impossible, for me at least)

Or the devs and admins can drop the BOFH attitude, and do their damn jobs. There is no excuse for these systems to not work with a single directory that lets me access them all with a single pair of user name and password. Management needs to stop accepting solutions which do not work with the company directory; the tech folks need to stop implementing solutions which do not work with the company directory.

So please, before you bitch about my inability to remember the 16 different passwords to the 10 or 11 different user names for the 16 systems I have at work, realize developers and admin are not the precious little snowflakes they sometimes act like.

A slightly different take. (1)

khasim (1285) | more than 3 years ago | (#35294250)

In cases I have been exposed to, it's not the admins that are dropping the ball, it is the people making the decisions about things they do not appreciate or understand.

Most of the cases I've seen, of that type, have been ego issues.

They are management and YOU do NOT tell THEM what to do.

It is YOUR job to protect the network given the constraints of their requirements. If you cannot do that, well, there's another guy looking for your job who says he can.

corepirate nazi legacy; death, debt & destruct (-1)

Anonymous Coward | more than 3 years ago | (#35293234)

all cleaned up & presented as 'god' given 'prosperity'. almost nothing of a self-serving notion will succeed until all of the surviving babies are accounted/cared for. see you there?

moron having a little fun with us 'workers'? (-1)

Anonymous Coward | more than 3 years ago | (#35293378)

"Walker believed the caller was a conservative billionaire named David Koch, but it was actually a liberal blogger. The two talked for at least 20 minutes — a conversation in which the governor described several potential ways to pressure Democrats to return to the Statehouse and revealed that his supporters had considered secretly planting people in pro-union protest crowds to stir up trouble.
The call also revealed Walker's cozy relationship with two billionaire brothers who have poured millions of dollars into conservative political causes, including Walker's campaign last year.
Walker compared his stand to that taken by President Ronald Reagan when he fired the nation's air-traffic controllers during a labor dispute in 1981.
"That was the first crack in the Berlin Wall and led to the fall of the Soviets," Walker said on the recording.
The audio was posted on the Buffalo Beast, a left-leaning website in New York, and quickly went viral.
Editor Ian Murphy told The Associated Press he carried out the prank to show how candidly Koch would speak with Walker even though, according to Democrats, he refuses to return their calls.
Murphy said he arranged the call Tuesday after speaking with two Walker aides, including his chief of staff. He made the call using Skype and recorded it.
Walker spokesman Cullen Werwie confirmed that it Walker's voice on the call.
The governor said he was ratcheting up the pressure on Senate Democrats to return to the Capitol a week after they fled to block the legislation. He said he supported a move to require them to come to the Capitol to pick up their paychecks rather than have them deposited directly.
He also floated an idea to lure Democratic senators back to the Capitol for negotiations and then have the Senate quickly pass the bill while they are in talks.
Walker said aides were reviewing whether the GOP could hold a vote if Democrats were not physically in the Senate chamber but elsewhere in the building.
Democrats seized on Walker's recorded comments as evidence that the governor plans to go beyond budget cuts to crushing unions.
"This isn't about balancing the budget. This is about a political war," Rep. Jon Richards of Milwaukee yelled Wednesday on the floor of the state Assembly.
The governor's plan would strip most public employees of their collective bargaining rights and force them to pay more for their health care and retirement benefits. Unions could not collect mandatory dues and would face a vote of its members every year to stay in existence."

10 years (1)

vgerclover (1186893) | more than 3 years ago | (#35293410)

protecting against the same threats that they've faced for the last 10 years. SQL injection, phishing, malicious attachments, social engineering.

10 years? Those attacks have existed for as long as those technologies have existed.

See

(Google won't go further than the '90s, but you get my drift.)

Can be solved, but usually won't be (1)

return 42 (459012) | more than 3 years ago | (#35293440)

I think the social engineering, phishing, and attachments could be solved, in organizations that made it a high enough priority, i.e., ahead of being nice to employees or not spending a lot of time and money on it. It breaks down into two steps. First, train everyone very well in how to recognize and avoid the threats. Second, have a dedicated tiger team continuously try to break security by sending phishing emails, emails with pseudo-malicious attachments, and trying to social engineer the employees. First time a given person screws up and breaks security, they go on the public list of screwups seen by everyone, it goes into their record and affects future promotions, and they have to attend training again. Second time, a formal warning, and more training. Third time, clean out your desk.

Not that real cracking attempts wouldn't slip through now and then; but it would certainly make the organization a much harder target.

Problem is, most organizations don't perceive it as important enough to go to these lengths. Intelligence agencies, sure (excepting the perpetually-clueless DHS); probably a lot more draconian than this. Military and FBI, too. Police? Probably not, they don't have the funding, for one thing. Corporate? Hardly ever.

Re:Can be solved, but usually won't be (1)

TaoPhoenix (980487) | more than 3 years ago | (#35293720)

How about this quote of the day from the bottom of the page?

"Dow's Law: In a hierarchical organization, the higher the level, the greater the confusion."

Security is only as strong as the weakest point (1)

JustAnotherIdiot (1980292) | more than 3 years ago | (#35293458)

As long as humans are part of the equation, security will always be weak.

PHP is a big part of the problem (4, Interesting)

Animats (122034) | more than 3 years ago | (#35293536)

PHP is a big part of the problem. PHP's interface to SQL encourages putting in parameters without proper escaping. Python has a slightly different interface, one where there's one SQL statement with fields represented by %s, and a tuple with the values to be filled in. The values are escaped automatically. If PHP had only such an interface, most SQL injection attacks would fail.

It would help if there was simply a restriction that only one SQL statement can be submitted per call. Since all the major SQL implementations now have transactions, there's no reason to put two statements in one call any more.

Another problem with PHP is a tendency to install a large number of standard PHP scripts which shouldn't be installed at all. Look at your server logs and you'll see constant attempts by hostile sites to call common bad scripts.

Hosting "control panels" implemented in PHP are part of the problem. If you have one of those, you can't just turn off PHP, even if you're not using it. Worse, "control panels" tend to run with very high privileges, and present a large attack face.

Re:PHP is a big part of the problem (1)

Anonymous Coward | more than 3 years ago | (#35293628)

PHP:: PDO->prepare()

Re:PHP is a big part of the problem (0)

Anonymous Coward | more than 3 years ago | (#35293892)

This is only a problem with the mysql_* functions. Every other database abstraction layer supports binding parameters to queries. This functionality is only missing from mysql_* functions because mysql didn't support this until 4.1. You can get access to it for newer mysql versions by using the mysqli functions instead.

Of course, you could also just use PDO. Even if your database doesn't support parametised queries, it will emulate the behaviour for you. It's existed since PHP 5 as a PECL extension and has been part of PHP since 5.1.

See: http://www.php.net/manual/en/pdo.prepared-statements.php

Although this strikes me more as a problem of people being uninformed about SQL Injection rather than a PHP problem. Even without parametised queries its still pathetically easy to stop SQL Injections in PHP; cast user input to its expected data type (so $id = (int)$_GET['id']) and pass any strings through mysql_real_escape_string. It's not hard.

Not that any of this is going to do much good, mind. I've found an awful lot of "professional" PHP developers are just copy and paste bodgers. The problem with PHP code from third parties is that it is usually written by well meaning idiots.

Re:PHP is a big part of the problem (2)

Shados (741919) | more than 3 years ago | (#35293932)

I hate PHP too, but the problem there is PHP programmers, not PHP itself.

What you're talking about, as someone pointed out already, is prepared statements. Virtually all mainstream programming languages have the ability to use those, including PHP for almost as long as its been mainstreamed. The only issue is that the most commonly used MySQL interface didn't use them, and the community didn't push them.

They were available AND they were easier to use than the "bad" way of doing thing. You are NOT supposed to escape the data you send to the database, and its NOT what those interfaces you talk about do. The work done to make sure there's no injection is more subtle and lower level, as well as database dependent. Thats why no amount of string escaping is 100% safe.

Using prepared statements (what you're refering to without realizing it) is very very possible in PHP, is now (today) mainstream, and makes sure you're not vulnerable to sql injection (unless you do something impossibly stupid or try on purpose, but you have to try very hard).

PHP sucks balls and no one should use it, but thats not among the reasons why it does.

Re:PHP is a big part of the problem (0)

Anonymous Coward | more than 3 years ago | (#35294356)

PHP sucks balls and no one should use it, but thats not among the reasons why it does.

OK, PHP sucks balls...care to elaborate?

Re:PHP is a big part of the problem (1)

TheCarp (96830) | more than 3 years ago | (#35294374)

Very much agreed. I can't say PHP is a problem so much as...it encourages the problem.

My experience with PHP went something like this, back when I was a professional newb.
Boss: "I need you to write this app, here are the specs, it should be done in PHP, that way we can hand it off to another group and we don't have to maintain it".

It SOUNDED great. The problem is, php is easy. its easy to start, its easy to mock something up real quick. its easy to think you are doing well and producing something good that works. Its no harder, however,m than any other language to make absolute hash of it.

Can you blame the PHP developers for making it easy to learn and get started? Thats like blaming the wheel and pedal interface for letting bad drivers on the road.

I think its a more subtle problem of competence. There were some great studies a bit back where they looked at how people rate themselves vs objective measures of their compence. Generally, the more cometent people (and this has been my experience) tend to rate their abilities lower than the less competent. Why?

Well one thing you hear a lot from very competent people "I don't know X". "I am not sure exactly how Y works...". Whereas the less competent tend to deal in absolutes "Oh I can do that", "I know how that works". The more competent people are more nuanced... they know that there are things that they don't know, and have an idea what many of those things are. They make less assumptions.

It is easy to get to the point where you can write a fairly non-trivial application. However, its also easy to think that this makes you some sort of expert, or espcially skilled, especially with all the work you put in to get to that point. Its another thing entirely to do it very well, and to understand the implications of all of what you are doing, especially when it goes beyond your narrow expertise.

Take databases and sql injection. These days, if I am working on code, I know its not my strong suit, so I compensate by stopping all work, and working just on the database. Designing a schema, writing stored procedures, THEN go to write the higher level code. I didn't do that when I first started out. I used to do what ALOT of people do.... I started with the bare minimum that I knew would "do the job" and only revisited it later if it turned out to be a problem (and then had to re-write large sections...which is usually where the project would die)

Slopping strings together haphazardly is easy to do, very quick....and it works. It works great. Its no surprise to me that it continues to be one of the most common techniques for working with SQL. Its just sad that this quality of code makes it into real products.

My first reaction when I read about the HB Gary hack was "SQL Injection and Rainbow tables? Haven't these people learned to handle SQL properly and salt passwords? I am no expert and all my recent code does BOTH". The truth is though,most people start out writting that sort of code and...it works so well its hard to distinguish. Well written secure code is great but, in practice its often indistinguishable from bad code unless you have the time and resources to audit it.

Re:PHP is a big part of the problem (0)

Anonymous Coward | more than 3 years ago | (#35293940)

Don't blame the tool - blame the Engineer! Yes you can write bad code in PHP, that would allow an SQL attack. You can do the same in almost any language. It is the job of the programmer and programming team, to insure the code sanitizes the inputs regardless if it is PHP, C#, perl or your tool of choice.

Re:PHP is a big part of the problem (1)

dkf (304284) | more than 3 years ago | (#35294604)

Yes you can write bad code in PHP, that would allow an SQL attack. You can do the same in almost any language.

The issue isn't that you can blow your leg off in any language. The issue is that PHP does the equivalent of putting a big flashing red button in and daring developers not to press it. To be clear, the problem with PHP is that it was traditionally far harder to Do It Right than to Do It Wrong (a recipe for disaster in the hands of non-experts, and even sometimes experts) and that when you got it wrong, it still would work with the sort of input data that most people test with. It's just one giant collection of landmines, waiting to go off. (Maybe these things are fixed now, but there's a metric buttload of tutorials and books out there that still teach the bad old ways. Bad habits have a disturbingly large half-life...)

Re:PHP is a big part of the problem (0)

Anonymous Coward | more than 3 years ago | (#35294158)

Virtually all .Net SQL interaction prevents this unless you go out of your way.

Django's DB API's... same.

Ruby on Rails... same.

Why PHP doesn't is completely beyond me.

What else is there? (1)

pudding7 (584715) | more than 3 years ago | (#35293560)

Besides "SQL injection, phishing, malicious attachments, social engineering", what other types of realistic attacks are there?

Re:What else is there? (1)

hesiod (111176) | more than 3 years ago | (#35294106)

Besides "SQL injection, phishing, malicious attachments, social engineering", what other types of realistic attacks are there?

When an army of machete-wielding pirates with stacks of floppies and USB drives break down the doors to your server room, you will know... yes... you will know!

Re:What else is there? (1)

hb79 (917595) | more than 3 years ago | (#35294148)

> what other types of realistic attacks are there?

The good old zero, memory / stack overflow attack? Or brute force password attempts. Random open ports. Windows machines.

Or, if you're enemy is really after you in particular: Blackmail, threats to your family, gun to your head. No-knock police raids, or other black-ops. In short, if your attacker is willing to pay anything, you are done for no matter what.

how is stuxnet an example of old vulnerabilities? (2)

SethJohnson (112166) | more than 3 years ago | (#35293600)

I'm not sure how stuxnet is a proper illustration of old vulnerabilities being ignored. From what I recall of stuxnet, it is a WORM that exploits multiple zero-day vulnerabilities, at least one of which was due to security certs stolen from a hardware vendor in Asia.. Sure, best practices were ignored wherein industrial centrifuge controllers should have been physically firewalled from any devices that connect with other networks or devices.

But seriously, stuxnet isn't as good an example of a glaring security incompetence as the recent HBGary intrusion. That started with a simple SQL injection, and ended up with executive emails revealing nefarious corporate dealings by a company pretending to be a security consultant.

Here is an EXCELLENT technical dissection [arstechnica.com] of the HBGary attack. Nothing spectacular involved. Just nuts-and-bolts hacking with impressive results.

Seth

Re:how is stuxnet an example of old vulnerabilitie (0)

Anonymous Coward | more than 3 years ago | (#35293982)

Did you even read the summary?

They are saying that things like Stuxnet get the attention, but people are still having the most trouble with the basics, like HBGary you mentioned.

What good is SQL injection... (1)

TheMidget (512188) | more than 3 years ago | (#35293826)

... if you have no goatse.cx, nor goatse.cz, nor goatse.ch, nor goatse.fr to point the SQL-injected website to?

Re:What good is SQL injection... (0)

Anonymous Coward | more than 3 years ago | (#35294224)

Goatse was never the only shock site. Hell, just redirecting to the website of their biggest competitor might cause a few heart attacks.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>