back to article Daddy, what will you do in the new security wars?

A senior figure at the anti-virus giant McAfee once told this writer the security industry was a mess. There were too many vendors trying to do too many things. But what the industry mirrors is the threat landscape it is trying to calm down. Just look at what’s happened in the past six months. Two of the most significant …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    HELP

    I'd like to post something, but I can't remember my password......

    Does one of you know what it is?

    1. Anonymous Coward
      Anonymous Coward

      Re: HELP

      Yes.... but first please deposit $1000US into this numbered swiss account 9999999

    2. DJV Silver badge

      Re: HELP

      Didn't you write it down on a post-it note? Yeah, it's probably that one stuck to the side of the monitor with your other passwords and bank details. You know, the one in plain sight from the window.

    3. Al_21
      Holmes

      Re: HELP

      It's in %userprofile%\My Documents\passwords.docx

      1. Captain Scarlet

        Re: HELP

        I normally find it in %userprofile%\Desktop\passwords.txt or written in permanent Marker under the keyboard.

    4. Anonymous Coward
      Anonymous Coward

      Re: HELP

      hunter2 I think…

      http://www.bash.org/?244321

    5. This post has been deleted by its author

    6. Anonymous Coward
      Anonymous Coward

      Re: HELP

      OK everyone, I found it. It was ******** all along.

  2. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    I strongly smell the old tug of war between security and ease of use. To at least some extent, they're at odds, as the easier you make it for a legit person to work, the easier it becomes for an adversary to get in. That's why we make users jump hoops, but put up too many hoops and users will go "Blow this for a lark!" and take shortcuts for the sake of their sanity, and again, malcontents can exploit the shortcuts. From their end, they just want to get their work done as simply as possible, so the security team is forced to balance things out.

    And now, in some areas, the problems is reaching intractable levels. As in the required level of security requires more tedium than users and/or prospects are willing to accept. At the required level, too many shortcuts get made while the most they'll tolerate isn't tight enough.

    1. Bloakey1

      "I strongly smell the old tug of war between security and ease of use."

      <snip>

      Confidentiality

      Integrity

      Availability

      CIA.

      Mutually conflicting states but one that can be balanced effectively. Basics in both physical and I.T. security need to be adapted to and maintained. I once did a "friendly" attack on the ****** Nuclear Base at ****** and due to the excess security employed as they expected us there, there were a myriad of exploits to follow. Complexity = complexity, with complexity comes exploits and unperceived issues. With simplicity comes simplicity and an easily understandable framework whose inherent weaknesses can be seen easily.

      Military acronym;

      K.I.S.S = Keep It Simple Stupid.

  4. M7S

    In the home arena...

    The biggest single improvement would probably be a simple explanation for the non technical user included with every new PC or in the OS setup (and I've never seen this in either, although I don't buy many PCs) explaining the following:

    Administrator lever accounts should only be used for setup and software installation.

    Have two, a main and a backup just in case you lock one and need to reset the password.

    User accounts should be used for everything else; your email, shopping, watching videos and surfing the internet. Have one for each user, so that you can keep your emails and surprise purchases for your loved ones private.

    If you run things as an administrator and your kids get on the computer, all the viruses they come across on dodgy websites or are emailed will run as if "authorised by the administrator" and you will have problems, just as if you gave them the pin to your ATM/Debit card.

    All accounts should have a password, if only to prevent the kids reading your emails, but it also helps protect against other unwanted problems as well.

    1. Charles 9

      Re: In the home arena...

      Problem is, that's the foolproof fallacy, and I'm sure most of us can refer to a quote by Douglas Adams concerning "the ingenuity of complete fools". And remember, some people have trouble remembering passwords (some have trouble with PINs). The big issue is that a computer, sitting inside someone's domicile, cannot be licensed (unlike a car that has to drive on public roads). There's no way to reliable ensure that the person sitting at the computer at any given time is actually competent enough to use it correctly.

    2. Anonymous Coward
      Anonymous Coward

      Re: In the home arena...

      I am not a sysadmin by trade, but I have set up PCs for friends & family I have felt (a) sorry for, and (b) knew it would save me problems in the long run.

      I did exactly that sort of thing: set up a Linux PC for my sister & her family (Windows with AV lasted ~3 months until borked by infections) and lectured them on the benefits of a per-user account and not doing anything dumb.

      That went well for a while, then I got phone calls saying "I can't do/find XYZ..." and it transpired that, in spite of my setup and efforts, she was letting her 2-3 year old on to her account and he just hammered away at the keyboard while watching YouTube, etc. And then she was surprised he had broken things?!

      After some rude lectures this stopped, but she is mature (in her 40s) and has a degree in maths, so not dumb by any measure.

      Then we get to smart phones and tables. They generally only support a single account, and yet the parents will hand over a £300-600 device to a 2-3 year old to keep them happy and as surprised when it gets borked or broken!

      WTF goes through their minds?

      As much as I hate the whole "walled garden" idea, or the stupidly limited options of a Chromebook, more and more I realise what it must be like to work on a hell-desk, and understand why such fool-subverting options are attractive.

      AC for obvious reasons :(

      1. DropBear
        Mushroom

        Re: In the home arena...

        I'm not sure that's always feasible advice. On my windows box, yup, I'm always admin - it might not be wise, but I do WAY too much tomfoolery with the system in general - every single day - to be logged in as anything else. On the Linux box, fine, I'm J. Random User - with the result that literally my every third command is "sudo !!". So no, sorry - I honestly don't think this is a workable approach for someone still legitimately using a desktop instead of a bloody tablet...

        1. Paul Crawford Silver badge

          Re: @DropBear

          You are not the target audience, it is for Mr & Mrs Average and their family/friends/workmates who have little or no legitimate need to install or configure software on a daily basis.

          Simply forcing them to log-out and back in with an Admin account is often enough to make them pause and ask "Is this really a wise thing to do?"

          1. Anonymous Coward
            Anonymous Coward

            Re: @DropBear

            Simply forcing them to log-out and back in with an Admin account is often enough to make them pause and ask "Is this really a wise thing to do?"

            I've found Windows 7 is a lot better at handling this case than Windows XP ever did. I can run as a power user on Windows 7 and have it prompt me for an Administrator username and password. If I do something that needs the privileges, UAC will ask me for credentials, it's not a simple "click to accept", I have to enter a password.

            Much like typing sudo -s on a Linux shell.

            Back in Windows NT days, you set up an Administrator account, then had your users use non-administrative accounts. However to switch between them you had to log out and back in, which therefore encouraged people running as Administrator for convenience. This continued right through until Windows Vista, when they finally got the hint that an analogue of sudo was needed: UAC.

            Microsoft have that message now, and with Windows 7 UAC works quite well. I hate many aspects of the Windows 7 UI, however UAC works the way it should have been done from day 1, and is one feature I support.

            Their next step should be now, to mandate an Administrator account like the old NT days with regular users using Power User or User accounts, and using UAC to gain Administrator access.

        2. itzman

          Re: In the home arena...

          What a weird person you must be. I only ever use sudo (actual or implied) when installing new software which ain't that often, or consenting to security updates..

    3. JJKing

      Re: In the home arena...

      I set up an account called Internet and get them to use that when they go online. If they have the licence, I create a VM and get them to use that for Internet Banking ONLY.

      Had one user who frequented pron sites and they had a VM called Internet. A 10 minute file copy was easier than a complete install due to an totally infected machine.

      Why is it that computer users brains turn to mush when they sit in front of a screen but they can program a microwave to start the defrost at a certain time and then set the cooking time, even stepping down the power output for certain period during the whole process. Same thing happens when people board an aeroplane...brains turn to mush.

  5. simmondp

    Those who don't learn from history are doomed to repeat it

    “I think we can take lessons from how physical security has been mounted historically: something as simple as a castle didn’t have just one wall. There were layers of walls and eventually a redoubt within which the most precious items were kept,” Woodward says.

    And how many working, walled cities are there in the world right now? Look at the history, the merchants and the people were too contained by the walls and simply bypassed them, making them obsolete, so now they are simply tourist attractions.

    Fast forward to today, and if you put (more) security in the way of businesses (friction) then they simply go BYoD, Cloud. Parallel IT etc.

    The Jericho Forum outlined this over 10 years ago and also gave you better models to implement.

    But those who don't learn from history are doomed to repeat it (or be out of a job).

    1. DropBear

      Re: Those who don't learn from history are doomed to repeat it

      'Look at the history, the merchants and the people were too contained by the walls and simply bypassed them, making them obsolete, so now they are simply tourist attractions.'

      Exactly. What security experts constantly seem to fail to realize is that perfect security at the cost of usability is of less than ZERO value. FIRST is has to work, and only THEN it should be secure as possible - the very reason people tend to mindlessly click "yes"/"next"/"continue"/whatever is that the priority number one is the goal they're after, and that MUST HAPPEN at any cost, malware and viruses be damned. Unless and until experts understand this (and find a way around it!), there can be no effective security for the masses.

    2. Anonymous Coward
      Anonymous Coward

      Re: Those who don't learn from history are doomed to repeat it

      “I think we can take lessons from how physical security has been mounted historically: something as simple as a castle didn’t have just one wall. There were layers of walls and eventually a redoubt within which the most precious items were kept,” Woodward says.

      The oldest castles had exactly that - one wall making a nice circular tower. For security reasons even.

      You see, a castle with more than one wall has corners and flat edges. When heavy flying objects are thrown against a castle with corners the corner blocks can be pushed out of aligment making the whole wall fall or, easier, the center can be caved inward both opening a hole and falling on some defenders.

      There are three basic types of castle surviving these days: circular towers (single highly defended area), groups of circular towers with walls between (high security areas with medium/low security DMZ behind the walls - circular towers instead of corners),

  6. Sir Runcible Spoon
    Happy

    Sir

    You can't expect ever increasing complexity without the addition of vulnerabilities.

    One way to secure a service on the net would be to simplify the access regarding what you can or cannot do, and the implement a true proxy (such as the old, extremely hard to manage yet effective Gauntlet firewalls).

    The proxy in this sense doesn't just create a connection for you, it will not perform any tasks that are not specifically programmed in to it, and you should be able to re-configure it yourself (i.e. no black-box solution) and possibly allow the code to be opened up for public scrutiny.

    The problem with this approach is that you won't be able to access facebook through it. Did I say problem? Carry on :)

  7. Anonymous Coward
    Anonymous Coward

    Posted this before so sorry for the repeat, but after this article I feel even more disdain for our tech future...

    I started out using the net @ uni for a comp-sci degree in the early 90's. It held so much promise. Around the mid to late 90's it started to become over-commercialised, but it still had promise. However, now it just isn't fun anymore: E-Snowden NSA privacy revelations, Heartbleed, the Adobe cloud fiasco, The 'Target' hack, eBay / Paypal weekly meltdowns, Google's stated goal of ads on the internet of everything ....

    I used to be the go-to guy for family friends for tech matters, but I can't be anymore. How can I assure them of anything when even the CEO of Symantec-Norton admits that their own AV / Malware / Phishing products are a sham! I can't even offer advice regarding financial hacking or data privacy, or government spying, because the attack vectors are beyond me...

    I have a home based business. I used to diligently roll out updates and patches and even made assumptions that made me sleep better at night. But who has the time anymore?! I now leave most of my office machines permanently unplugged and off-the-net (and use a USB sparingly by air only when necessary).

    For the machines that are still 'live', I dedicate one to design, another to financial / accounting, and anther to (risky) browsing, and isolate all onto different networks... All the while I'm thinking how is this f'ing progress?!!!! In addition I no longer have an active financial presence online, because I don't think the banks / retailers etc, are doing enough to protect consumers, much to the chagrin of pollyannic customer service departments.

    But I used to love the internet and I lament the fact there's so many sheeple using it, thereby fuelling the rise in hacks and scams in this spy-on-ourselves culture... I cannot help but ask, why have an electronic presence that only makes you a mark in the eyes of the five eyes? Why have eBay / Paypal account when you're just a mark to a hacker with ultra-fast broadband in a small town in Romania you've never heard of?... Same goes for Google+, FB, Yahoo and MS mail etc...

    When the net isn't about privacy violations, scamming, account hacking and data breaches, its saturated by the latest celebrity vampire leveraging it for all its worth... Driven on by a fickle global-media praying at the altar of the new shinny Twitter, Facebook, Google: 'God'...

    So am I the only one retrenching from the net?

    1. itzman

      Yes and no...

      In the sense that I use the net. It does not use me.

      And a lot of my USE of computers is not dependent on network access.

      In the last 5 years since I have been primarily Linux, I have nit been caught by malware. Of any sort. I run no AV software.

      Yes, several of my (potentially infinite) email addresses have been leaked by sites I have given them to, of course, so spam management is a daily chore.

      But that's the full extent of the problem.

  8. Anonymous Coward
    Anonymous Coward

    It's the ads...

    A major attack vector seems to be ads - they're served by unknown entities by syndication arrangements and are chock full of flash and silverlight badness. Adblocker may be unpopular with websites that need ad revenue, but it's a critical piece of malware protection

  9. Destroy All Monsters Silver badge
    Flame

    What's up, what's down.

    Not enough attention goes on people and this has been the industry’s biggest failing, says Professor Woodward.

    FAIL. I will believe in that approach when "security stories" start appearing right next to the stories about the latest developments in Monaco's monarchy. In the same mag.

    The UK government has shown some inclination towards improving public awareness.

    FAIL. The UK government has shown some inclination towards spending taxpayer money on quixotic schemes.

    In January it launched the Cyber Streetwise campaign. .... Little is known of the initiative's actual impact.

    Shall I repeat? LITTLE IS KNOWN. And this is not going to change. Nor will anything be changed.

    Simon Placks, head of cybercrime investigations at EY, however, has a very good statement:

    An intrusion is not an illness that can be prevented with good cyber-hygiene.

    On the other hand, you may just be a target of opportunity. There is not much you can do against that except have a dedicated team working on reducing the attack surface, day-in and day-out.

    According to Stewart Room, barrister and solicitor specialising in data protection, that legislation is required to improve the fight against online crimes, is an indictment of the efforts of non-public organisations. ... "If the hacking problem needs regulations to improve cyber security, then as a matter of simple logic the medicine has to be strong, because the market has utterly failed.”

    The failure is you, Mr. Room. Show me how this is supposed to work. No-one even knows what the medecine is and whether it exists in the first place. "The government" unable to find its own arse in the best of times, sure does not - nor can it issue valid regulation in this case. It may even be the perpetrator in a serious percentage of cases.

    Note that "Regulation" is a term that encompasses concepts with differring meaning, so whenever I hear "Regulation" with no further qualification I know that someone is starting to play with words and tries to access the hindbrain. Note how "Airline regulation" [which is about process control] is VERY different from "Stockmarket regulation" [which is about fog generation for the hoi-polloi] and "Healthcare regulation" [which is about entrenching vested interests and giving oneself a progressive do-gooder sheen]. "Regulation" is not a nugget of compressed wisdom from the Gods that will magically result in shifting the no-longer-so-free market to generate secure software affordable by everyone. At best, it will do nothing. Except cost a few millions in legislative soul-searching.

  10. Anonymous Coward
    Anonymous Coward

    Here's Johnny... (The Shining)

    http://www.bbc.co.uk/news/technology-28004193

    How long will it take our banks to catch up and give us custom 3 factor authentication then? I'm still waiting....

  11. Colin Wilson 2

    We need to attack this from the other end too:

    * Operating systems shouldn't be able to run unsigned software - ever.

    * Compiler vendors should provide provide the tools for programmers - whether coporate or a guy in his bedroom - to sign software backed by a certificate that identifies them, and with a proper, trusted certificate chain - no self-signed rubbish.

    * Certificate revocation lists should be enforced as strictly as is practicable.

    * Sandboxing should be made to work properly, stricly enforced, but remain flexible enough to enable programs to do what they need - as long as they've been given explicit permission by the end users

    1. Anonymous Coward
      Anonymous Coward

      * Operating systems shouldn't be able to run unsigned software - ever.

      Okay, so what do you define as "software"? Executable binaries, interpreted scripts?

      How do you maintain backward compatibility with existing software/OSes?

      Have you any patches for implementing this in Linux, *BSD, etc?

      Does your implementation require any specialised hardware?

      What do we do about the existing systems?

      * Compiler vendors should provide provide the tools for programmers - whether coporate or a guy in his bedroom - to sign software backed by a certificate that identifies them, and with a proper, trusted certificate chain - no self-signed rubbish.

      Who do you define as "compiler vendors"?

      Who administrates this certificate chain?

      I presume you have a patch for the LLVM and gcc teams?

      * Certificate revocation lists should be enforced as strictly as is practicable.

      Again, who makes these decisions? Can I as Joe User revoke your certificate? Who has to prove what to whom?

      * Sandboxing should be made to work properly, stricly enforced, but remain flexible enough to enable programs to do what they need - as long as they've been given explicit permission by the end users

      That's about the only point I can agree with. Linux has LXC (the basis for docker), BSD has jails. What does Windows and MacOS X have? What about Android?

      1. Anonymous Coward
        Anonymous Coward

        Hmm, how about this. I consider software anything that directly accesses the CPU and has instructions for that CPU. Note that a script or other interpreted code is useless without the interpreter, which falls under the purview of a program. As for backward compatibility? Blow that. Use a VM or a legacy box if you most, but the room gets swept clean here. The OS it itself software and should be subject to the same scrutiny. If we can't accept that, then we must accept that our software is very vulnerable.

        1. Christian Berger

          > I consider software anything that directly accesses the CPU and has instructions for that CPU. Note that a script or other interpreted code is useless without the interpreter, which falls under the purview of a program.

          That's what Google tries to do with the Chromebook. It's no use since then you'll just use security bugs in the browser. It just keeps people from actually running local software outside of the browser.

    2. Christian Berger

      > Operating systems shouldn't be able to run unsigned software - ever.

      We already have signed malware. This will only prevent you from installing your own self-compiled software or software from a trustworthy source. Few trustworthy sources will pay the money for a signature.

      > ... proper, trusted certificate chain - no self-signed rubbish

      Do you know how much a proper certificate costs? Also today we know that at least one attacker can control the root, and we have seen several CAs being taken over by non governments, as well as customers of CAs being issued certificates far wider than what they should have gotten. The CA world is a terrible mess.

      > Certificate revocation lists should be enforced as strictly as is practicable.

      Even Google now knows that revocation lists are bogus and possibly even harmful:

      https://www.imperialviolet.org/2014/04/19/revchecking.html

      > Sandboxing should be made to work properly, stricly enforced, ... as long as they've been given explicit permission by the end users

      Look at the mobile world. People will enable _every_ permission they are presented with. As long as you cannot patch out the features in the source code.

      It seems like you've never seen the discussions in the late 1990s where "Trusted Computing" came along which tried to do all of this.

      The thing that actually did bring security since then was "Free and Open Source Software". FOSS scared Microsoft into (partially) cleaning up their mess they called Windows. Today when software crashes because of invalid input it's considered to be not just an unimportant bug, but a security problem which needs to be addressed immediately.

This topic is closed for new posts.

Other stories you might like