Experts: Network security deteriorating, privacy a lost cause Internet and network security is bad, and it's going to get worse before it gets better. To make it better, CIOs and IT admins need to rethink the way that they approach protecting their networks from hackers and other miscreants. "We've got North Korea with ICBMs and we've got Iran developing an atomic bomb, but that's not …
"[...] if you have a user who wants to run down the hallway with scissors, a security professional's job is to help them do that as safely possible, because they're still going to run with scissors."
That doesn't fit with the perception that the more you protect people - then the more risks they take.
The problem is when protection gets in the way of productivity. If the guy wants to run down the hallway with scissors because the boss is tangled up in his/her chair wheels, then you better just get out of the way because safety comes second when the boss is involved, otherwise the risk of stabbing will be the least of your worries.
As for hunting the wolves, that's also a lost cause because the wolves have already established havens for themselves in countries antagonistic to the sheep: some of them complete with world-ending weapons if push comes to shove. In fact, some of the wolves are in the employ of those self-same countries. How do you hunt a wolf when he's got an ICBM backing him up?
Lots of talking about dealing with the threats the way we always have, which is of course by using the products these companies are pushing.
Only near the end does it come to "oh and yeah, hunt the wolves". With not one sentence on how they propose to do that. Under the assumption that Symantec, Imperva, Sourcefire and the lot won't now add missile-armed drones to their network perimeter security arsenal, just what do they propose the average organisation should do to stop the attackers operating out of Russia, China, Romania, Syria, on an on?
"by using the products these companies are pushing"
Indeed. Here are security companies saying it's all getting worse so you need more of our products. Actually, that's the wrong conclusion. The correct conclusion is that the current approach isn't working so we need something different. Putting gates across exits from the M25 doesn't prevent bank robberies in Central London. Perimeter defence doesn't work. Better designed banks prevent bank robberies. Better designed operating systems and applications prevent cyber attacks and privacy invasions.
People blame the network for, say, SQL injection attacks. Silliness.
Here are security companies saying it's all getting worse so you need more of our products
Logically, what they are really saying is "buy more stuff from us, because it didn't work last time either". That's a bit like the current , equally flawed fix to the financial system: "because they ignored our laws, we need more laws".
I recognised that the current approach wasn't working almost 10 years ago and changed tack. The trick is not to restrict your thinking to technology..
"To make it better, CIOs and IT admins need to rethink the way that they approach protecting their networks from hackers and other miscreants."
I think companies should hire better qualified personal and if they actually have those on the payroll also start listening to them.
The main problem in many big companies ("Enterprises") are the sometimes endless layers of managers. In certain cases the management layer has actually grown into an entity of its own. With that I'm referring to Enterprise environments who would hire managers solely based on management skills even though the person in question either completely lacks any in-depth understanding of his department or simply doesn't have enough understanding to fully understand what his team is telling him.
Such a person will more than often make decisions which make him look good. Or put differently: decisions which are most likely not to cause any members of the layer above him to become displeased (or worse) with him (put differently: his department). Even though, especially when talking ICT, sometimes such decisions have to be taken.
"We need to upgrade the firewall today, there have been some flaws found in the operating system so we need to upgrade the kernel. It will require a reboot, so the website(s) will be down for a short moment".
"Ok, but we have a big project coming up this week. Can you guarantee that the website won't be down for more than 5 minutes? No? Then I think we should postpone the upgrade to next week, then it's a much better time. Especially because we won't get as much visitors to the website as we will have this week".
And what do you know; the admin who suggested the upgrade simply couldn't explain well enough that we were talking about a zero-day exploit which could allow 3rd parties to gain access to the server. The manager didn't understand enough from his department to inform about the risks involved, so that he could weigh the risk of a longer downtime to the risk of not upgrading the OS then and there.
The result? Well; you'll be the judge of that. Depending on the flaw and the increase in traffic they could obviously also attract people who might try to exploit said flaw. Or not...
Even so; in my opinion it's issues like these which are the real culprit. The reason I'm pointing to enterprise (-like) environments should be obvious: in many cases when we're talking about break ins and such these are usually involved.
Heck; this could even go as far as an enterprise(-like) environment which provides (hosting) services for smaller companies. In my case there are some very strict rules to follow, which was one of the reason's I started hosting with my current provider: if they detect that you run your own DNS server and it can do recursive lookups for everyone they preserve the right to block said server. If they detect that you run your own MTA and it provides an open proxy then the same rules apply.
How many hosting companies (once again: talking about Enterprise (-like) environments) will simply let it go because they don't consider it their problem ("the customer is responsible for his own server")? Even though enforcing such rules could prevent a lot of Internet "casualties"...
I agree with the idea of hiring better people, but perhaps the problem is we simply do not have enough people who can think about the things required in an appropriate manner (speaking about managers). Corollary to that is the fact that many IT-types who have the abilities technically lack adequate communication skills as noted in the article.
As for your assessment of the true nature of the problem, I think you are dead-on. The people mentioned in the article obviously have a vested interest in selling their services to 'solve' the fear they bestow upon their target audience.
I learned about security only after I got hacked on a small personal site with no info on it, oddly enough that is what started me on the road to programming since I had to understand the underlying software. Though, I like the idea of designing data security and as part of this I focused on minimizing data collected to start, before I even sat down to lay out the database or connections to it.
Small data, if I don't need it now, I don't need it.
Bossman» "Ok, but we have a big project coming up this week. Can you guarantee that the website won't be down for more than 5 minutes? No? Then I think we should postpone the upgrade to next week, then it's a much better time. Especially because we won't get as much visitors to the website as we will have this week".
Me» No. But we have a hole in the firewall. Do you agree to take responsibility in the meantime for any penetration by intruders, data-loss or data-alteration and the resulting resources required to undo the damage caused? While we have a hole there, I can not guarantee it. I will need the answer in writing.
Try hacking an iMessage. Even the U.S. Feds are on their knees begging Apple to help them.
The IT types are years behind. Why? They want everything to go through their servers, which they are not smart enough to secure properly. And they want to be able to put their grubby paws into your email at their leisure, just like a hacker.
It's time to wipe the slate clean, send IT packing, and start over. Servers shouldn't exist at corporate locations.
They would be located away from you fools who don't have a clue about security.
Why can Apple do it with something as public and seemingly vulnerable as iMessage (feds can't crack it), yet you lot can't do it with a closed (convinced the CEO you could, you lying sacks o'...) network.
That's the BS, sport.
@heenow, take the knife in your kitchen and cut out your left testicle/mammary and those of your offspring, and offer a burnt sacrifice to Apple. But don't send it to them. They might not understand your well intended actions. Just let the smoke fill the air. I'm sure your gods will appreciate your rituals.
Here, however, we do not worship corporations or anything for that matter. So your praises and bended logic is not welcome here.
You'll just find that the bankers are in cahoots and in the same black side of the industry (IOW, the hackers simply turned to financial groups who know how to run shadow accounts and the like). Also, there's a very real possibility of the backers (already antagonistic to the sheep) also being the bankers. Does the phrase "state-sponsored cyberwarfare" ring a bell?
I think the economic embargo on wikilieaks showed that this can be applied effectively.
As for state sponsored hacking, that is targetted at espionage not fraud. Countries can print their own money (well, except for those in the EU but that's another story) so they hardly need to skim your bank account.
You can't use Wikileaks as an example because it was striving to stay on the "legal" side of the coin. All their proceeds had to come from legitimate sources or they'd lose their legitimacy. Black hats have no such moral/legal restraint and can use any and all means to obtain money, including but not limited to money laundering, mules, shadow accounts, and investments in other illicit businesses.
Banks, even foreign ones, also try to maintain an air of legitimacy. They also depend on an interconnected financial network for viability. Threaten a bank with a complete financial embargo and I pretty much guarantee they'll start questioning the value of their 'shadow' accounts. You may think this is difficult but here's where the Wikileaks embargo is exemplary. It showed that the US is prepared to flex it's global economic muscle when it is pissed, and that global financial organizations are quite happy to help.
Wikileaks is also germane because it and hackers share another common trait. They piss people off all over the world. That makes it easier for govts and organizations that would normally block a US-led embargo to stand aside and allow it to happen.
Mules are a way. They're not under the eye of the law, so they start the chain in a way that the law can't see. Laundering, shuffling the money multiple times, muddies the trail, and the shadow account helps to hide the money from people like taxmen. Another way is to extort/blackmail/glean financial details, which are then used to withdraw money, take a cash advance, or something else that's hard or impossible for a bank to fully reverse. If the transactions are done a little at a time (smurfing) it will be harder for the banks and law to spot before the point of no return.
The trick is to employ routes that avoid banks and other financial institutions as much as possible. Firms that want to maintain legitimacy keep within their purview as a show of security. The black market wants the opposite: to avoid them.
.. is not just not there.
I dont want to sound like a bleeding heart hippy but security eats into profits for alot of companies and "the man" is only after profit.
Using more rational phraseology, the current smart meters in the UK is a good example. They are as secure as a paper bag, and would have proceeded with "its good for you" push from government.... but now it seems "national security" may be at risk, it gets a little more of the security attention it deserves.
While there is a divide in what is considered worth protecting, security will continue to be an issue.
Wow, so a clever teenager living in his mom's basement (<- insert English equivalent of North American stereotype here) can figure out how much 'leccy' you use and when. If they are really clever, they can hack your payments history and find out what appliances you purchased, but they have to be practical to deduce what is being used and when - and what do you care - or perhaps you are worried they will notice an 18/6 or 12/12 cycle and rip your grow?
Smart meters do more than that.
They allow different billing rates at different times.
- So a miscreant can raise (or lower) your bill, by moving those times around. Perhaps make the Economy period from 1:00am to 1:05am?
Many allow customers to be remotely disconnected.
- Cutting a significant proportion of a single substation's load instantaneously could easily destroy the remaining customers' equipment due to overvoltage, and may even damage the substation. This has occasionally happened when a JCB has an accident, covered by the excavation insurance. Who pays for your new TV if it's killed by smart meter hacking?
- Imagine what would happen if 10% of a region's demand were suddenly cut off without warning? What if it was more than that?
Given that all potential miscreants will be provided with their very own example of the equipment to play with...
The meter does not decide how much money you are charged. The meter measures how much energy you use.
The billing system then works out how much you should pay based on the times and numbers given by the meter.
The clues are in the names really.
me·ter
noun
1.
an instrument for measuring, especially one that automatically measures and records the quantity of something, as of gas, water, miles, or time, when it is activated.
"Give it up," he said, "it's over – everybody's going to know everything".
Well, he may be right about that, but that lack of privacy is a major factor in the ease with which the miscreants are able to get into systems and hack around. So if he's advocating hunting wolves, I'm sure it wouldn't be too hard to locate Google and the like.
Until that lack of privacy is rolled back somewhat any other actions are likely to prove futile
No one would accept a washing machine that could be reprogrammed simply by a malformed laundry load (unmatched sock), computers need to get to the same place.
We shouldn't be in a situation where every web facing app has to recreate the wheel, some degree of validation needs to happen by the underlying system before anything gets to see the bits.
Actually, that can happen in real life. Imagine a sock of just the right material able to slip in through the gap between the tub and the frame, fall into the motor mechanism, and fry it. Congratulations, you just did the mechanical version of a Denial of Service attack: better known as good ol' Sabotage. As for reprogramming it, think of lockpicking or developing a tool to undo one of Apple's screws (or any other "one-way" screw you can imagine).
But that should already be happening at a basic level. If I'm expecting an integer I should be checking it, certainly before passing it to a database.
The thing is, implementing any system wide set of validation rules is sort of tricky without knowing what your software is supposed to be doing and expecting. It's down to devs to write safe code (and mistakes will always happen) and its down to sysadmins to understand their own servers and secure them adequately. Additional software gives some extra protection but if either of those first two fail you're on a hiding to nothing anyway.
Plus sometimes there are constraints to consider. There's a reason C and other less-sophisticated languages are still around. More sophisticated languages that build in garbage collecting and type checking inevitably introduce overhead which can cost you in speed, space, or both. If one or both are at a premium, then you're between Scylla and Charybdis. You can be lean or you can be safe but you likely won't have the capacity to be both unless you bodge it yourself. It's like trying to cram a bigger machine into a smaller frame: physics dictates some things won't make into the finished product unless you customize.
You don't really need the inefficiency of Java or C# to have a memory-safe Programming Language. Most of the useful C++ efficiency can be retained in a memory-safe language. See this creation of mine:
http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/doc/SAPPEUR.pdf?force=True
http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/
It has
+ C++ style Destructors
+ object arrays (as opposed to reference arrays)
+ almost all objects and arrays can be stack-allocated
+ efficient object aggregation (as opposed to aggregation by reference)
+ pointers which are automatically reference-counted and call synchronous destructors when required (as opposed to asynchronous GC)
+ is soft-realtime capable (as opposed to GC)
+ type support for memory-safe multithreading
+ efficient generic types
Essentially, Sappeur is a safe subset of C++ and retains almost all performance features while getting rid of things like "pointing inside an array" and "funny casts out of laziness".
Memory-SAFE...but what about memory-EFFICIENT? Can you compile a Sappeur program to run in a limited memory profile, say an embedded device? IOW, can you be BOTH memory-safe AND memory-efficient? What safeguards bounds and other things as such at runtime if there's no extra memory to manage it? That's the tradeoff I'm talking about. It's not always about performance efficiency.
"We've got North Korea with ICBMs and we've got Iran developing an atomic bomb, but that's not our biggest problem" Brocade Communications chairman David House said
Iran is developing an atomic bomb? Says AIPAC and various sycophants of BushCo, which includes the sorry editorials of WaPo (yes, you Hyatt, you prick) and the War Street Journal.
Instant disqualification as mouthpieces of the War Lobby.
You, Mr. House, are just another useful idiot.
I just checked -- I have 7,253 hosts/domains in firefox that are blocked from storing cookies in my browser. Only 378 are allowed to store cookies forever(most of those appear to be work related). Another 2,832 hosts I trust enough to allow cookies for the browser session only. This list is built up over the past probably six years now I have had firefox prompt me for each and every cookie that comes in. The number of cookies on some sites is astonishing. Sometimes I just turn off cookies entirely when I am browsing around gaming sites(which is quite rare), the sheer number of prompts is just insane.
I checked the numbers by looking at the firefox permissions sqlite database.
There are times when I have to click through 50 cookie dialog prompts to get to the website in question, because all of these objects are loaded at the same time and they all want to try to set a cookie. But that's the price I pay. Once the preference is stored in firefox I don't get further prompts from that host.
Sometimes I have to go in and undo a cookie preference if it breaks a site I need to use. That can be annoying, though often times I just use another browser temporarily (it's pretty rare).
Most of those tracking places(I worked for one of them for a couple years they have a good privacy rating) don't track you by any other means than cookie, if you block the cookie you're invisible. There are other ways I am exposed of course through linkedin(been wonderful for my career over the years), or my blog(similar -- though took me many years to cave in to that. blog is hosted on my personal colo server) or something. But those I have more control over. I am willingly surrendering that information to the public. Cookies are a different category. I don't use other social media sites. I do my own web site and email hosting(again on my personal colo), etc...
Though I admit for the more typical user the privacy war is lost -- but for most of those average users they didn't care to begin with, I go back to that survey a while back which placed the value of privacy for folks at about the price of a candy bar(that is they would give up their privacy for the candy bar).
I work the other way around, let the cookies in but delete them pretty quickly.
After I've been to my bank or a gaming site I just Ctrl+Shift+Delete and all cookies, history, cache is gone.
Try this experiment. Install NoScript and Ghostery in Firefox.
Go to Sky News or the Daily Telegraph, nothing will work.
In NoScript "Temporarily allow all this page".
Watch as Ghostery starrts. to block all the trackers and notice that NoScript has detected yet another script!
It is almost never ending and whatever you try the videos won't play. If I really want to see the video I search for it on YouTube.
You assume they only track via Cookie. Sure as hell the "expert" collectors such as Google and Facebook will collect based on IP address. Flushing the cache and maybe even complete blocking of Cookies won't help much, as they still have your IP address, which is typically good for an entire day. It's sufficient to log into webmail once to nail that IP to your account. For the rest of the day, they don't need any cookie to associate all your browsing quite effectively to your person. And of course, they can go back in time if you log into your email after having done other web-based traffic. That works for many scenarious of DSL routers.
And, sure as hell the webmail companies will sell the Clearname/day/IP address tuple to whoever pays most. Except if it is Google, they want it for themselves and the powers that be.
Use a proper anonymizer if you want privacy !
You assume they only track via Cookie. Sure as hell the "expert" collectors such as Google and Facebook will collect based on IP address.
The IP address is hardly reliable, assuming we're talking IPv4, which we very likely are; they're almost always assigned by DHCP and sitting behind NATting routers, so they don't uniquely identify users. Trackers are likely to start with more reliable techniques, such as so-called "web bugs" and ETag-based "respawning cookies" (which are not cookies at all), before falling back on something as low-signal as an IPv4 peer address.
For some of the big data collectors it's questionable how soon they hit the point of diminishing returns on tracking mechanisms, though. With cookies and Javascript analytics, Google gets the vast majority of its users. The same is true of sites like Facebook and Amazon. They could employ more aggressive tracking, but the incremental improvement to their data will be small. Even for users whose history is obscured, those sites get useful information to add to their aggregate statistics; it's just the history that's missing. That relatively tiny bit of additional history information probably won't affect their models significantly, so why bother with heroic measures?
Firms that sell tracking data as their primary product - KISSmetrics is a good example, since they were at the front of the ETag-tracking controversy - have a reason to use aggressive tactics: they're marketing points ("we can even track users who delete cookies!"). Sites with smaller user bases that really need to get their recommendation systems up to snuff or provide metrics to show advertising performance (hello, Hulu) may also need to get tricky. But Google and Facebook? If they're using the more-intrusive techniques, it's probably developers trying to justify their salaries. I strongly doubt it makes any difference in the models they're building.
The OP wasn't referring to the internal, local, private IP addresses - which in any case are not available to Internet servers anyway.
He means your public IP, duh, the one your router has. The one all of your clients sit behind using NAT, and therefore appear to have to everyone out on the Internet.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
