×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Web Browsers Under Siege From Organized Crime

Zonk posted more than 6 years ago | from the x-force-2007-sounds-like-an-awesome-movie dept.

Security 168

An anonymous reader writes "IBM has released the findings of the 2007 X-Force Security report, a group cataloging online-based threat since 1997. Their newest information details a disturbing rise in the sophistication of attacks by online criminals. According to IBM, hackers are now stealing the identities and controlling the computers of consumers at 'a rate never before seen on the Internet'. 'The study finds that a complex and sophisticated criminal economy has developed to capitalize on Web vulnerabilities. Underground brokers are delivering tools to aid in obfuscation, or camouflaging attacks on browsers, so cybercriminals can avoid detection by security software. In 2006, only a small percentage of attackers employed camouflaging techniques, but this number soared to 80 percent during the first half of 2007.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

168 comments

80%...? (2, Insightful)

Anonymous Coward | more than 6 years ago | (#22394844)

Are they saying that antispyware software misses 80% of the spyware?

Firefox? Opera? Safari? (5, Insightful)

TFGeditor (737839) | more than 6 years ago | (#22394908)

Okay, I admint I have not (yet) read the article, but experience tells me that 80% likely involves IE at 90 percent or better.

Re:Firefox? Opera? Safari? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22394994)

Troll? I see the MS fanboyz are out in force--with mod points, no less.

Re:Firefox? Opera? Safari? (3, Interesting)

HangingChad (677530) | more than 6 years ago | (#22395116)

...experience tells me that 80% likely involves IE at 90 percent or better.

How is that a troll? He's stating the observation based on his experience.

I did read the article and can't tell, either. My experience coincides with yours. Funny articles are hesitant to spell out the distribution of vulnerabilities. I wonder if they get leaned on by Microsoft's legal department or one of their PR firms?

Just exactly how many of those vulnerabilities are Firefox running on Ubuntu? Or Safari? Or, as usual, is Windows and IE the most attractive attack vector?

Re:Firefox? Opera? Safari? (5, Insightful)

WilliamSChips (793741) | more than 6 years ago | (#22396690)

I'm not fully sure but I know every browser has one vulnerability. It's between keyboard and chair.

Re:Firefox? Opera? Safari? (1, Interesting)

baboo_jackal (1021741) | more than 6 years ago | (#22397028)

...experience tells me that 80% likely involves IE at 90 percent or better.

How is that a troll? He's stating the observation based on his experience.

It's a Troll because anecdotal evidence boils down to pretty much this: "That's what my personal experience leads me to *feel* is true, and here are some numbers (I made up) that *feel* right to quantify my *feelings*."

I did read the article and can't tell, either. ... Funny articles are hesitant to spell out the distribution of vulnerabilities.

The linked pdf showed that Firefox had 36 critical security issues versus IE's 28.

Given that modern OSes protect against low-level access violations, I think you can answer your question by looking at the security fault type: 22 of IE's and 12 of FF's were memory corruption or buffer overrun issues, which I'm guessing ought to be caught by the underlying OS. FF had 11 Security Zone Bypasses, of which IE had none, and FF had 13 "Other" critical security issues, versus IE's 6.

Security Zone Bypass is just one type of an elevation of privilege attack. And "Other" doesn't really tell us much, but let's assume that all "Other" vulnerabilities are Bad.

FF, then, had 24 critical security issues that wouldn't necessarily be caught by modern OS memory protection schemes common to both Windows and Linux, to IE's 6.

Hey, I'm no MS fanboy, but the above is what I managed to take home from the article.

Re:Firefox? Opera? Safari? (1, Redundant)

FudRucker (866063) | more than 6 years ago | (#22395274)

even though your comment was modded down as a troll, i agree with you wholeheartedly...

Got plugins? (4, Insightful)

jschottm (317343) | more than 6 years ago | (#22396208)

The web is not just HTML at this point. Both QuickTime and RealPlayer have had notable exploits in the past few months. Acrobat and Flash have had major security holes as well. Just relying on the fact that you're using Firefox doesn't mean that you're not vulnerable.

Why is this new? (0)

Anonymous Coward | more than 6 years ago | (#22397206)

>>Web Browsers Under Siege From Organized Crime

Why is this news? I thought the knowledge of M$s entry into the browser market with IE was so 90's.

oops... never mind

The minute that vulnerabilities were monitized... (4, Interesting)

DigitalSorceress (156609) | more than 6 years ago | (#22394924)

It seems to me that the moment that organized crime found a way to make money off security vulnerabilities (Spam, ID theft, Ransomware, etc...) the writing was pretty much on the wall (though I'm still trying to figure out what it says). It kind of reminds me of William Gibson's cyberspace: a free-for-all, hostile environment where it was pretty much up to individual users / corporations / governments / whatever to protect themselves through whatever means necessary.

Welcome to the wild, wild net.

That's not the worst of it. (4, Insightful)

khasim (1285) | more than 6 years ago | (#22395084)

It kind of reminds me of William Gibson's cyberspace: a free-for-all, hostile environment where it was pretty much up to individual users / corporations / governments / whatever to protect themselves through whatever means necessary.

The problem is that no matter how well YOU protect yourself, other agencies have your personal information in their databases.

What happens if your employer loses a laptop with your SSN, name, etc on it?

Eventually, the criminals are just going to start building a database with whatever information they can find.

Then they'll use that database to take out a second mortgage on your home, purchase a new car and open a few credit cards under your name.

You'll lose more money than you have. And you'll never have a chance to prevent it. Because all the information will be "leaked" from 3rd parties.

Re:That's not the worst of it. (4, Insightful)

Anonymous Coward | more than 6 years ago | (#22395530)

Potentially the problems you state are only the scraps, unfortunately it is getting to where every filing cabinet and vault in the world has multitudes of vacuum pipelines hooked to it and organized crime is working hard on figuring out how to break down the filters and routing on these pipelines and channel the flow to themselves. Think in terms of the old vacuum pipes for paper and money transfers inside old department stores and then expand it world wide, now try to imagine keeping it secure, not just your part of it but everyone's part that you connect to and everyone's part that they connect to ad infitum, welcome to the internet.

Side warning to the F/OSS community: That multitude of eyes may become even more important as we start to wonder, is the Godfather contributing? It doesn't even have to be in terms of direct backdoors, only has to be an exploitable bug which of course don't make the contributor look as bad.

Side warning to the closed source corporations: See above, biggest difference is your paying them too. Think you can hire that many eyes?

Side warning to businesses and individuals: Read the above, look around you, let the paranoia begin.

The internet maybe a highly efficient way of doing business, but it can be an extremely efficient way to steal too. Weigh the KNOWN risk factors, is it really worth it?

Organized crime is only the tip of the iceberg.

We may have to become stainless steel rats just to be free.

Re:That's not the worst of it. (1)

fishbowl (7759) | more than 6 years ago | (#22396282)

>now try to imagine keeping it secure

Okay. We have had easy cryptographic solutions for decades now, many of which are reasonably difficult to break. Make use of them.

Re:That's not the worst of it. (3, Insightful)

vertinox (846076) | more than 6 years ago | (#22396320)

Side warning to the F/OSS community: That multitude of eyes may become even more important as we start to wonder, is the Godfather contributing? It doesn't even have to be in terms of direct backdoors, only has to be an exploitable bug which of course don't make the contributor look as bad.

How do know that a low paid programmer at Microsoft hasn't been bribed by organized crime and if so how do you detect the code?

Re:That's not the worst of it. (0)

Anonymous Coward | more than 6 years ago | (#22396562)

Side warning to the F/OSS community: That multitude of eyes may become even more important as we start to wonder, is the Godfather contributing? It doesn't even have to be in terms of direct backdoors, only has to be an exploitable bug which of course don't make the contributor look as bad.

How do know that a low paid programmer at Microsoft hasn't been bribed by organized crime and if so how do you detect the code?
You don't, perhaps they can but you can't. Question was brought up in a fashion in the post you partially quoted. Unless they just happen to get caught at it you have no way of knowing what other employers a programmer has other then one that they acknowledge and/or is publically known.

Side warning to the closed source corporations: See above, biggest difference is your paying them too. Think you can hire that many eyes?
Any code we use, we do so with but faith and varied levels of testing. Closed source is inherently insecure to those who did not write it. That is to say that closed source can only be taken on blind faith as you can not see what is in it and thus limits its testing or adding to its secureness. Even with F/OSS though, you want controls over who does have access to changing it within an Operational basis without or with limited oversight.

Re:That's not the worst of it. (5, Funny)

TheRealMindChild (743925) | more than 6 years ago | (#22395806)

Then they'll use that database to take out a second mortgage on your home, purchase a new car and open a few credit cards under your name.

I got that one covered. I just haven't paid several bills for a long while now. If someone tries to get credit with my credentials, all they will get is people laughing and pointing at them

Re:That's not the worst of it. (2, Insightful)

SCHecklerX (229973) | more than 6 years ago | (#22395880)

It's even easier than that. Every time you pay with your credit card at a restaurant, you are trusting that waiter not to steal your number, or that they don't print a tape with the number on it and put it in the trash unshredded.

Re:That's not the worst of it. (2, Informative)

vertinox (846076) | more than 6 years ago | (#22396190)

What happens if your employer loses a laptop with your SSN, name, etc on it?

If you are paranoid like me you will have already called one of three major credit companies (not the free score but Equifax, Experian, or TransUnion) and put a freeze on your credit every 90 days with a fraud alert. Or you can pay one of their subsidaries a monthly fee for any notifications via email or SMS of any changes or requests in your credit (yeah it kind of feels like I'm paying them to solve a problem that is their fault).

On the downside you won't be able to get new credit lines easily while your account is locked so do this after you get your mortgage or car loan. On the upside... No one can do anything with your information without causing some major red flags. Also it seems that the junk mail has ceased.

Just a suggestion for those paranoid types.

Re:That's not the worst of it. (1)

maxume (22995) | more than 6 years ago | (#22396856)

Then they'll use that database to take out a second mortgage on your home, purchase a new car and open a few credit cards under your name.

You'll lose more money than you have. And you'll never have a chance to prevent it. Because all the information will be "leaked" from 3rd parties.

There is a straightforward way to solve this -- seek out and elect officials who are willing to transfer liability for fraudulent transactions from the person who happens to match the magic number used to initiate the transaction to the institution granting the debt. It might not be easy to find those people and get them past the various financial lobbies, but it would address the problem very effectively. The current situation is madness, people who do absolutely nothing wrong, or even foolish, are left holding the bag for huge amounts of fraud.

Re:That's not the worst of it. (1)

homer_s (799572) | more than 6 years ago | (#22396928)

Then they'll use that database to take out a second mortgage on your home, purchase a new car and open a few credit cards under your name.

And the banks who lent the money based on a number (that is not even supposed to private) would end up eating the loss. And the credit bureaus who base their business on this number would be run out of business by competitors with better ideas.
At least, that is how it would work in my kooky libertarian world. But I guess everyone likes this setup better.

Re:The minute that vulnerabilities were monitized. (2, Interesting)

KublaiKhan (522918) | more than 6 years ago | (#22395150)

Kinda leads to interesting thoughts...perhaps it may behoove certain of us to act as "night watchmen" for our various neighbourhoods, in the interest of keeping that sort of thing away from our systems.

I know I'm probably going to have to make another scan of my landlady's computer...she falls for half the stuff that comes through, even after my lectures on "DON'T CLICK IT" :-/

Re:The minute that vulnerabilities were monitized. (3, Insightful)

gnick (1211984) | more than 6 years ago | (#22395320)

perhaps it may behoove certain of us to act as "night watchmen" for our various neighbourhoods
That's an interesting idea and may function just fine at a land-lady level. But, for some reason, my bank balked at the idea of granting me admin access to their server so that I could make sure that my personal info was secure.

Re:The minute that vulnerabilities were monitized. (2, Interesting)

KublaiKhan (522918) | more than 6 years ago | (#22395418)

Well, start small, anyway. The bank can afford to make itself secure, but if every computer in the neighbourhood is sending out Russian viagra ads, your bandwidth will suffer--so doing some basic cleaning and firewalling will benefit you bandwidthwise.

Hell, if you're feeling ambitious, you could set up some kind of neighbourhood LAN and get folks to chip in towards a big fat pipe, if you can prove they'll have a safer connection... ;-p

Come to think of it...does anyone know of any successful examples of a "co-op" pseudo-ISP like that that already exists?

Re:The minute that vulnerabilities were monitized. (1)

gnick (1211984) | more than 6 years ago | (#22396666)

Hmmm... Your ideas intrigue me and I'd like to subscribe to your newsletter. But, the only implementations I know of were at a municipal level rather than a neighborhood organization.

Re:The minute that vulnerabilities were monitized. (1)

KublaiKhan (522918) | more than 6 years ago | (#22396768)

If you had one house in the neighbourhood that could get a fibre connection, you could hook up a router, put wireless access points in the various houses, and route the traffic that way.

Or do it wired, o'course, but that might be a bit more complicated, and probably really would only be practical for an apartment building.

Re:The minute that vulnerabilities were monitized. (0, Troll)

Lally Singh (3427) | more than 6 years ago | (#22395154)

The wall has two words on it: DITCH WINDOWS.

Re:The minute that vulnerabilities were monitized. (0)

Anonymous Coward | more than 6 years ago | (#22395742)

Is that all our resident NASA 'genius' has to say on the subject? Here I've got a research proposal you could use. Make sure you pass it around all the good colleges in the States: GET A JOB. Expand on it with as much waffle as you like (tip: I hear McDonald's is looking for some burger flippers in your area).

Ha. (0, Funny)

Anonymous Coward | more than 6 years ago | (#22394932)

Don't kid yourself. It's not that organized. --Cosmo

If you know there's a hole . . . (1)

arizwebfoot (1228544) | more than 6 years ago | (#22394938)

Why not plug it?

Re:If you know there's a hole . . . (0)

Anonymous Coward | more than 6 years ago | (#22395016)

That's what she said.

- Michael Scott

Re:If you know there's a hole . . . (1, Informative)

Anonymous Coward | more than 6 years ago | (#22395092)

Those who understand the problem do just that -- they disable javascript.

Drop in vulnerabilities... really? (4, Interesting)

grassy_knoll (412409) | more than 6 years ago | (#22394942)

From TFA:

The overall number of vulnerabilities reported for the year went down for the first time in 10 years.


Combined with the comment that camouflaging techniques are used in 80% - 100% of recorded attacks, I wonder if the number of attacks is really going up ( as it has been in the past 10 years ) but detection is getting worse.

Have you noticed this? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22394958)

It's the only job that Mexicans have not stole from young Americans..

I have the solution (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22394966)

Give everyone nookular wearpons and brokolie and condomes. HOORYJ! I am not responsible for the content of this message nore the interpretations thereof and you are dumb

Re:I have the solution (0)

Anonymous Coward | more than 6 years ago | (#22395692)

You have injured my soul with your foul racist muddy I am not a trole I am a humane beng. I hope that sxom day GOD will FORGAVE YOUI meanpresoin!!!!!!! :(

Explains the odd attempted breakins.. (5, Interesting)

downix (84795) | more than 6 years ago | (#22394980)

Over the past 4 weeks I've noticed a rash of almost hourly attempted breakins to our servers.

Here's a sample:
ftp attempts for 5 hours straight:
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - no such user 'Administrator'
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - USER Administrator: no such user found from ::ffff:82.186.102.42 [::ffff:82.186.102.42] to ::ffff:192.168.10.26:21
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - Maximum login attempts (3) exceeded

ssh attempts almost constant since last friday:

Feb 11 01:37:07 localhost sshd[13953]: pam_unix(sshd:auth): check pass; user unknown
Feb 11 01:37:07 localhost sshd[13953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.31.37.13
Feb 11 01:37:07 localhost sshd[13953]: pam_succeed_if(sshd:auth): error retrieving information about user ajith

When I catch them, the majority of the IP #'s match up to systems which have been rootkitted. The stream of odd login names always catches me off guard, sometimes in english, sometimes japanese or chinese. Does anyone know of someone that keeps track of these things, so I can send my logfiles to?

Re:Explains the odd attempted breakins.. (5, Informative)

KublaiKhan (522918) | more than 6 years ago | (#22395028)

The folks over here [sans.org] keep track of that sort of thing. You may want to speak with them.

Re:Explains the odd attempted breakins.. (1, Interesting)

Anonymous Coward | more than 6 years ago | (#22395148)

I just go to ARIN.net and look up the technical or abuse contact for whoever owns the netblock containing the IP. I tell them suspicious/malicious activity is coming from one of their IPs, and include a short log excerpt. Usually the machine is dealt with pretty quickly, though I've been lucky... the few attacks that hit me came from pwned hosted servers in the US. If you're getting hit by machines in another country, or by machines on consumer broadband, good luck getting anyone to give a shit.... just firewall them.

Re:Explains the odd attempted breakins.. (1)

EntropyXP (956792) | more than 6 years ago | (#22395432)

How does one tell if they are rootkitted? I have the latest patches and updates to my anti-virus, firewall and anti-spyware software but none of them mention anything about rootkits... Another thing that worries me is my software is all free! Comodo for my firewall, Avast for my anti-virus and Adaware for my anti-spyware...is the free software much worse than the stuff you have to payout for?

Re:Explains the odd attempted breakins.. (1)

bberens (965711) | more than 6 years ago | (#22395840)

Generally, but not always, you can watch outgoing traffic logs on your router to see if there's stuff going on that doesn't make sense. Most people don't have that kind of time. Also, it may be your router which was rootkitted. :)

Re:Explains the odd attempted breakins.. (1)

downix (84795) | more than 6 years ago | (#22396078)

My router is a SPARC running OpenBSD... which only allows SSH access from the internal LAN. I love my router...

Re:Explains the odd attempted breakins.. (0)

Anonymous Coward | more than 6 years ago | (#22395638)

So file abuse reports.

The next batch of servers I configure will firewall any ip with more than 4 SSH login failures. It's not hard to do and will doubtless become default for most OS distros if the current volume of SSH scans continues. The worm that tries obsolete system accounts (rpcuser, rpc, gopher) is the single most retarded thing I've ever seen. Bet I'm not the only admin who fantasizes about meeting the author of that particular pointless bullshit in a dark alley one dark evening.

Re:Explains the odd attempted breakins.. (0)

Anonymous Coward | more than 6 years ago | (#22395918)

"ssh attempts almost constant since last friday"
  • Do you need to allow password based authentication? If not, disable it and use only ssh keys
  • Do all users need to have ssh access? If not, restrict to specific groups of users.
  • Are you running on a non-standard ssh port to reduce automatic bot attempts?
  • Can you add a firewall rule to the box to block too many login attempts?
  • Do you need to allow ssh from anywhere? If not, restrict to the relevant ip blocks.

Re:Explains the odd attempted breakins.. (1)

jschottm (317343) | more than 6 years ago | (#22396446)

The article has very little to do with what you're describing - simple common name/password attacks - which have been going on for years. Iif [sic] you use non-attack-dictionary passwords, these aren't a threat. They just sit there and try things like root/password, root/passw0rd, etc.

These attacks are so common that no one tracks them anymore. SANS has a system that you can submit your firewall logs to but not the detailed syslog information. You can attempt to report the attacks to the appropriate parties - the ISP in the case of home users, the admins of servers, etc. Sometimes you'll get results, often you won't.

Have you disabled root logins for ssh? If not, so so. If you want to reduce the chatter that fills up your log files, change ssh to a different port. You can get various software to automagically firewall off offending systems, but be careful in configuring them - if you're not careful you could end up accidentally blocking out yourself or your users (or allowing someone else to do so).

I wonder what the profits look liike. (2, Interesting)

kabocox (199019) | more than 6 years ago | (#22395052)

We've seen what kinda of profits spam brings in. I wonder how profitable this is.

Heck, spyware/adware, or some shady P2P programs could have something like this. Reminds me of what happened to http://www.shareaza.com/ [shareaza.com] . It's claimed by a group that be like this. That address used to be shareaza's main site, and it easy for many to not know to go to http://shareaza.sourceforge.net/ [sourceforge.net] for the new updates.

Re:I wonder what the profits look like. (1)

J0nne (924579) | more than 6 years ago | (#22395810)

That particular domain was basically taken over by the recording industry (the real story is longer [shareazasecurity.be] ), although I guess one could say that's organised crime too.

Oooo! The X-Force! (1)

Quiet_Desperation (858215) | more than 6 years ago | (#22395062)

I didn't know IBM hired Rob Liefeld. Did they put Cable in charge of the investigation?

Organized crime, huh? When they hit your browser, does the screen just go black?

Re:Oooo! The X-Force! (1)

FudRucker (866063) | more than 6 years ago | (#22395102)

RE:["Organized crime, huh? When they hit your browser, does the screen just go black?"]

well it is called the "Black Market"...

Dat's a nice browser yous got (5, Funny)

gnarlyhotep (872433) | more than 6 years ago | (#22395146)

Be a shame if sumfin' were to happen to it, like.

Re:Dat's a nice browser yous got (1)

noidentity (188756) | more than 6 years ago | (#22395396)

Dat's a nice browser yous got... Be a shame if sumfin' were to happen to it, like.

...oh, that's not runnin' Winders? Sorry to have bothered you.

Re:Dat's a nice browser yous got (0)

Anonymous Coward | more than 6 years ago | (#22396350)

God, you're unfunny. Slashdot-style nerds and comedy are just in separate universes, aren't they? Stick to your Star Trek jokes, loser.

Lack of Security of any System on the 'Net (2, Insightful)

RobBebop (947356) | more than 6 years ago | (#22395162)

stealing the identities and controlling the computers of consumers at 'a rate never before seen on the Internet'.

5%, 25%, 50%? 90%? Are there estimates for the "rate never before seen" that users are having their personal information stolen?

And what personal information is it? To extend the old saying "If it is on the internet, it is public". Well, *all* information you store the computer that you access the internet suffers from this lack of security.

A truly secure user experience would be managing personal data on an unconnected system (or even a private network of systems) and then transferring data from there that needs to make it to the Internet via the Sneakernet [wikipedia.org] . This is how the Department of Defense guarantees the security of Secure Facilities, and it is (unfortunately) the only way to guarantee the security of your own personal information.

But for systems that are on the 'Net, using an OS that doesn't hide/obfuscate fundamental security models is a plus. For example, it is easier for me to shutdown outgoing ports/services on Linux [uic.edu] than on Windows [windowsecurity.com] .

As far as browser exploits... one can only hope that developers close off the attack vectors faster than they open new ones.

Re:Lack of Security of any System on the 'Net (1)

starfishsystems (834319) | more than 6 years ago | (#22396800)

In fact, no security, of any kind, anywhere, is absolute.

For example, critical US Department of Defense secrets have ended up in the hands of adversaries, despite extreme efforts to safeguard these secrets. And the same is equally true, of course, for other nations. Thus there is demonstrably not a condition of absolute security, even at the most secure end of the scale.

But we're talking here not about military security and state espionage but about web browser vulnerabilities. For the most part the browsers in question are running on consumer grade systems which are not professionally managed. The perception of value and risk for a consumer product is at a much lower point on the scale relative to a hardened military installation. The same security principles apply, of course, but the tradeoffs are characteristically different.

I agree with your comment that it does not help to obscure the security tradeoffs on consumer systems. That encourages misperception. But it also doesn't help to talk about security as if it were all or nothing. That encourages another misperception.

It's not the case that all information is fully exposed if it's not fully secure. The middle ground is quite acceptable for many purposes. For example, safes are rated in terms of how much time is required to break into them, not whether they are or are not absolutely secure. A safe with a higher rating is bigger, heavier, and more expensive. So there is not an absolute solution but instead a range of solutions to suit different needs.

This works because the rating of safes is easy to understand. What we need in the computer industry is a similar objective rating for system security. And as Bruce Schneier points out, this is likely to come about not because of consumer demand directly, but as a result of pressure by the insurance industry.

Re:Lack of Security of any System on the 'Net (1)

RobBebop (947356) | more than 6 years ago | (#22397138)

pressure by the insurance industry.

Snake oil? Software insurance? Can you actually sell this? Oh... sign me up.

  1. Sell software insurance
  2. ???
  3. Don't validate claims because users had insecure protection

Oh, I'm going to go file a patent for this....

To reply seriously...

The perception of value and risk for a consumer product is at a much lower point on the scale relative to a hardened military installation.

To say that users don't store information that has high value to them to be kept private is silly. I was *very seriously* suggesting a non-networked computer to give security. This would eliminate the opportunity for a *software failure* to cause the data to become public. It is understood that a family-member could connect the machine to the internet or either accidently or maliciously copy the data to a machine on the network, but without the act of a human being... the data would be 100% secure.

I've been saying this for a while now (3, Interesting)

rufusdufus (450462) | more than 6 years ago | (#22395226)

I've been saying this for years now: antivirus and firewalls cannot protect from sophisticated attacks.

There is only one solution: executable code must be embedded in hardware read-only media and must be reloaded after every session. [today reloading a virtual machine is a good approximation, but this method will succumb under sufficiently sophisticated attack; it really needs to be built into nonflashable rom]

Nobody wants to hear this. I'm not exacty sure why; a little thought should lead anyone with some knowledge of operating systems and hacking to the same conclusion.

Its just going to get worse, with botnets, blackmail and scammers gaining more and more power until we remove the ability of malignent code to survive.

I've been saying this since 1967 (0)

Anonymous Coward | more than 6 years ago | (#22395848)

I've been saying since 1967 that if something is important, it should be in pen and paper, with NO electronics either necessary to access or modify it or which makes it POSSIBLE to access or modify it without a human physically turning the pages or moving the pen.

Yeah, I never did get in on upstart companies like MicroSoft, but I never went wrong with Wheat futures either, so your mileage may vary....

Re:I've been saying this for a while now (2)

hotdiggitydawg (881316) | more than 6 years ago | (#22395854)

Its just going to get worse, with botnets, blackmail and scammers gaining more and more power until we remove the ability of malignent code to survive.
Who gets to define the term "malignant code", and how? There's your barrier right there. One man's malignant code is another man's valid program (ref. Trusted Computing).

Re:I've been saying this for a while now (1)

durdur (252098) | more than 6 years ago | (#22396074)

executable code must be embedded in hardware read-only media and must be reloaded after every session
What happens when you need to update this executable code? How do you ensure it is only ever updated from a secure/reliable source?

Re:I've been saying this for a while now (2, Interesting)

NotBorg (829820) | more than 6 years ago | (#22396110)

There is only one solution: executable code must be embedded in hardware read-only media and must be reloaded after every session. [today reloading a virtual machine is a good approximation, but this method will succumb under sufficiently sophisticated attack; it really needs to be built into nonflashable rom]
Because there's no reason to update software, ever? I know that I get security updates all the time which I'm happy to say I didn't have to replace a chip to apply. The fact that you can't modify code doesn't make it perfect. Just because you can reload the same imperfect code doesn't mean you'd want to. Your reloading because it was compromised right? Just gonna hold that reset button down indefinitely?

Re:I've been saying this for a while now (0)

Anonymous Coward | more than 6 years ago | (#22396116)

But what is "executable code"? Does Javascript count? bash scripts? MS Word macros?

Re:I've been saying this for a while now (0)

Anonymous Coward | more than 6 years ago | (#22396158)

OK, so my computer is now a game console (only running programs I have a DVD for), and I still have to worry about phishing attacks and Trojans. I don't think that's a very good solution.

dom

It _is_ true that the NES is impervious to attack. (2, Interesting)

northstarlarry (587987) | more than 6 years ago | (#22396456)

Every time I close my text editor and then realize that I meant to type a few more things, I have to take the ROM cartridge out of my computer, put it back in, wait for the volume to be checked, then for the executable to be moved into faster storage (so swapping doesn't take half a minute), and only then do I get to wait for it to be copied into main memory and run? Or is the interim storage too insecure?

How many ROM slots am I supposed to have on my desktop machine? Three, maybe four? So, let's see, I can listen to music, browse the web, have a chat program open, and if I've got a sweet computer, I can also use my calculator application! If I can find all the cartridges on my desk!

Software updates (er, hardware updates?) can now only be obtained conveniently at your nearest MicroCenter or Fry's. F/OSS software^Whardware^Wsecure-read-only-executable updates can be easily obtained by mailing a SAS, padded envelope to the appropriate developer (who now needs a commercial source of ROMs, and a machine to print them, along with the time to do so), who will happily mail you back your ROM just as soon as he or she gets around to it, for a small fee to cover the cost of the media (oops, I guess it's just OSS now!). Old copies of softw^Whardwa^Wwhatever can be conveniently recycled at almost no cost to the user by returning them to the developer.

Do embedded video players count as "executable code"? Congratulations, YouTube is now NetFlix. Welcome back, text-only Web pages. Goodbye, everything that makes the Web useful and interesting.

And you don't understand why nobody thinks it's a good idea?

Re:I've been saying this for a while now (0)

Anonymous Coward | more than 6 years ago | (#22396892)

- by rufusdufus (450462) on Tuesday February 12, @01:54PM (#22395226)
Actually for Windows, there IS another solution:

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA + make it "fun" to do, via CIS Tool guidance:

http://forums.pcpitstop.com/index.php?s=8a4de624349c2b17175bec82a2d6240a&showtopic=150310 [pcpitstop.com]

There IS "another solution", & Linux, Solaris, & BSD variants too (no MacOS X automated one though) that is it, above... & it just works!

Re:I've been saying this for a while now (1)

starfishsystems (834319) | more than 6 years ago | (#22396966)

Nobody wants to hear this. I'm not exacty sure why

Could be because it's an extreme position? Or because knowledgeable system designers don't see that it solves anything? Just a thought.

New form of stick-up? (5, Funny)

DoofusOfDeath (636671) | more than 6 years ago | (#22395290)

Hand me your cache!

(Sorry - for humor I go for quantity, not quality.)

Re:New form of stick-up? (1)

Punko (784684) | more than 6 years ago | (#22396388)

Actually, I laughed out loud when I saw the tag "sleepingwiththephishes" now THAT's funny. But hand over your cache is good, too.

Kick Windows off the Internet (3, Insightful)

EllynGeek (824747) | more than 6 years ago | (#22395338)

I did read the actual report, all 56 pages of it. As usual, Windows' total lack of security guarantees that any random blackhat with a minimum of skill can exploit it. Go ahead and mod me Troll again, you lameass Microsoft-fanboi moderators, but it won't change what the report says- Windows is the problem.

Re:Kick Windows off the Internet (1)

gnick (1211984) | more than 6 years ago | (#22395480)

Windows is the problem.
I'm certainly no MS fanboy, I don't consider your original post a Troll, and I won't even argue your 90% speculation. But I can't blame Windows's security for this. When you have 76% of the market share [wikipedia.org] , it doesn't seem unreasonable that the blackhats will target you 90% of the time. So, unless their security is head-and-shoulders better than the competition, they will still have the most breaches.

Re:Kick Windows off the Internet (1)

RiffRafff (234408) | more than 6 years ago | (#22395826)

Criminals don't steal the most abundant ("popular") car; they steal the easiest. Yet another car analogy, but it works here. Windows' security is knees-and-ankles below the competition. They get targeted first. Otherwise you'd see the Web getting broken everyday, since it's mostly run on Apache with non-Windows servers. IIS and its ilk still get targeted first. Or so has been my observation.

Re:Kick Windows off the Internet (0)

Anonymous Coward | more than 6 years ago | (#22396442)

That depends on why they're stealing it. If they just want a joyride, they steal the easiest. If they want to sell it, they steal the one that will get them the most money for the least hassle. If they want to sell it for parts, they steal the one that has the most lucrative part market.

I look at my car's locks, alarm system, and vehicle immobilizer, thinking that my car is safe because of its great security system. But really, it's only safe because I live in a low-crime neighborhood, my car model isn't particularly popular, and there are people who leave there cars unlocked.

If everybody had my car model and used all the security features, there would be a vast market for parts and the thieves would know all the tricks to get around things like immobilizers. And if there was no way to get around that, they would just wait for me to come around with the key, mug me, and steal the car.

In this analogy, Windows just happens to be the car with the most lucrative parts market. Unix is no harder to break into, it's just that the available money to be had is so much less. If I have to spend X amount of time creating an exploit, why would I concentrate on an OS with 1% market share if I can do the same amount of work and get 90% of the market?

Just look at the terms we use, like 'worm' and 'rootkit'. They came from the Unix world! Back when the Morris worm hit, the almost the whole Internet was running on open source Unix software. Anybody who runs a Linux box has to deal with a constant stream of security fixes. If you had a half-billion people running Linux, most of them would not keep up with the patches, and there would be a large enough population of Linux users that their exploits make the news.

dom

Re:Kick Windows off the Internet (1)

BForrester (946915) | more than 6 years ago | (#22396478)

Parent is completely wrong.

Look up any list of "top" stolen cars. See: Civic, Camry, Accord. These are all abundant, popular vehicles with standard theft-deterrent devices, but that can easily be sold or cannibalized for parts on the black market. Nobody steals the easy vehicles such as old beaters, tractors, and idling delivery vans because they have little market demand, hence value. Virtual crime is not concerned with "resale" potential -- the car analogy is broken.

Re:Kick Windows off the Internet (2)

gnick (1211984) | more than 6 years ago | (#22396874)

Yet another car analogy, but it works here.
Stealing cars and exploiting computer exploits are completely different situations. Imagine a city where 76% of the population drove Hondas. The other 24% drive a variety of cars of roughly the same value. Each make of car has a different security system. Now, if you can figure out how to get around Honda's security system, 76% of the cars in the city are yours for the taking. If you figure out how to get around Buick's security system, you have your choice of the handful of Buicks driving around.

Despite EllynGeek's impassioned opinion to the contrary posted below, I have no problem believing that 90% of the criminals in the city would focus on Honda.

Re:Kick Windows off the Internet (3, Insightful)

EllynGeek (824747) | more than 6 years ago | (#22395914)

The old "more market share is why Windows is more attacked" has been so thoroughly debunked you should be ashamed of yourself for parroting it yet again. Please- educate yourself; you reveal that you know little about operating systems when you say that. It's just not true. Well, it's partly true- with the perfect combination of easily exploited and dominant market share, it's a perfect recipe for organized crime and blackhats of all varieties to run rampant. If an open-source Unix-type operating system were dominant, we would not be seeing all the spam, malware, and botnets that feast unhindered on Windows. The Internet would be a lot safer and a lot less polluted.

The fact is that Windows' sieve-like architecture welcomes malware into the guts of the operating system, while hindering users at every turn, and tight integration with applications and server stacks guarantees that the most peripheral exploits will find a red carpet into the core of the operating system. This is not true of Unix-type operating systems, which are inherently far more secure. Windows' dominant market share ensures that the damage- billions of dollars wasted on extra bandwidth, "security" applications, abuse desks, fraud and identity theft, and so forth- is pandemic. Windows is impossible to secure. It will take a ground-up rewrite to fix it.

There are fundamental differences in culture- in the Unix world, or at least in the open source part of it (Linux, FreeBSD, OpenBSD, NetBSD, OpenSolaris), vulnerabilities are not denied or hidden, but are out in the open and dealt with. It's been proven over and over that openness = stronger security. Two good examples are OpenSSH and OpenSSL. Both are open source, both are used universally in all kinds of applications, such as secure remote sessions and Web applications. Their code is wide open and they are thoroughly documented. Anyone can study their inner workings. Are they successfully exploited? No.

This article is a good start for understanding the fundamental architectural differences: http://www.theregister.co.uk/security/security_report_windows_vs_linux/ [theregister.co.uk]

Re:Kick Windows off the Internet (1)

gnick (1211984) | more than 6 years ago | (#22397230)

The old "more market share is why Windows is more attacked" has been so thoroughly debunked you should be ashamed of yourself for parroting it yet again. Please- educate yourself; you reveal that you know little about operating systems when you say that.
Wow, that was kind of nasty... Did my post somehow make it sound like I thought Windows was as secure as its competitors? The superior security is one of the many reasons I've got Slackware installed.

That said, Windows is attacked much more than the other OS's. It's more popular and, in general, its users are less computer-savvy. If I were a blackhat, Windows would certainly be my choice target for a variety of reasons - Even if it was on an even-footing security-wise with its competitors. I'm certainly on board that market share is not the only reason that Windows is targeted more than others - Not remotely. But, if you have some evidence that "totally debunks" the idea that market share and attack target are correlated, I'd love to see it.

Re:Kick Windows off the Internet (0)

Anonymous Coward | more than 6 years ago | (#22396540)

> When you have 76% of the market share, it doesn't seem unreasonable that the blackhats will target you 90% of the time.

Sure it does [seem unreasonable].

Why, with 76% market share, *reasonable* would be blackhats targeting you 76% of the time.

Re:Kick Windows off the Internet (1)

gnick (1211984) | more than 6 years ago | (#22397308)

with 76% market share, *reasonable* would be blackhats targeting you 76% of the time.
One bank has good security and $24,000 on hand. Another bank has poor security and $76,000 on hand. 90% of bank robbers will decide to rob the latter. The other 10% are either idiots or have ulterior motives for picking the former.

You know... (4, Funny)

Guppy06 (410832) | more than 6 years ago | (#22395366)

"In 2006, only a small percentage of attackers employed camouflaging techniques, but this number soared to 80 percent during the first half of 2007."

If they're going to hose my Windows boxen and install spurious applications of dubious intent, I find that I prefer if they camouflage their attempts so as not to bother me with constant popups from the system tray telling me to install their spyware to get rid of spyware.

You use IE Eh? (1)

PirateBlis (1208936) | more than 6 years ago | (#22395794)

Well we use Firefox, ya hear? And you're gonna start usin' it too, or Vinnie here's gonna make you sleep with the fishes, see

This does not surprise me at all... (2, Informative)

Panaqqa (927615) | more than 6 years ago | (#22396136)

...after all, it was only a matter of time once rootkit source code was published for anyone to grab. From that time onwards, true stealth malware was possible to create without needing to be a security researcher. Combine the ease of integrating someone else's rootkit code into a payload with a vigorous open market for Windows vulnerability information ($25,000 gets you a brand new zero-day exploit) and you reach the situation we have today.

Some people believe the largest botnets out there are ones built with the Storm Worm or other similar exploits. My bet would be that there are plenty larger out there, undetectable because they hide behind rootkits and don't do stupid stuff like turn the box into a spam cannon. And for people who think that the C&C (Command and Control) would be detected, think again: if a rootkit can conceal a file then it can also conceal a process, a named pipe, an interrupt handler, you name it.

biznat3h (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#22396258)

BSD's acclaimed troubled OS. Now overly morbid and Are there? Oh, conver5ations where own lube, beverage, Don't feel that

Redundancy.. (1)

DigitAl56K (805623) | more than 6 years ago | (#22396292)

controlling the computers of consumers at 'a rate never before seen on the Internet'
Before remote control of computers starting occurring on the Internet the majority of hacks came from psychics, thus explaining the ever popular tinfoil hat.

something has to change (1)

Grampaw Willie (631616) | more than 6 years ago | (#22397004)

all this hacking of software supposedly developed by professionals is unacceptable. it wasn't like that when we had MVS and RACF.

the fundamental error in thinking is that documents are executable and that we do system updates on the fly

that entire concept needs to go in the junk bin

if you want me to update my system send me a zip

and make sure the enclosed programming is signed

NO SIGNATURE? NO EXECUTE.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...