Feeds

back to article Experts: Network security deteriorating, privacy a lost cause

Internet and network security is bad, and it's going to get worse before it gets better. To make it better, CIOs and IT admins need to rethink the way that they approach protecting their networks from hackers and other miscreants. "We've got North Korea with ICBMs and we've got Iran developing an atomic bomb, but that's not our …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

More protection - more risk taking?

"[...] if you have a user who wants to run down the hallway with scissors, a security professional's job is to help them do that as safely possible, because they're still going to run with scissors."

That doesn't fit with the perception that the more you protect people - then the more risks they take.

2
1
Silver badge

Re: More protection - more risk taking?

The problem is when protection gets in the way of productivity. If the guy wants to run down the hallway with scissors because the boss is tangled up in his/her chair wheels, then you better just get out of the way because safety comes second when the boss is involved, otherwise the risk of stabbing will be the least of your worries.

As for hunting the wolves, that's also a lost cause because the wolves have already established havens for themselves in countries antagonistic to the sheep: some of them complete with world-ending weapons if push comes to shove. In fact, some of the wolves are in the employ of those self-same countries. How do you hunt a wolf when he's got an ICBM backing him up?

3
1
Silver badge
FAIL

these are different schools

They should have an air gap.

2
0
Bronze badge

Re: They should have an air gap.

And (L)users will find a way around it!!!

Remember Stuxnet??? IIRC the infection vector was a flash drive.

0
0
WTF?

Tallyho?

Lots of talking about dealing with the threats the way we always have, which is of course by using the products these companies are pushing.

Only near the end does it come to "oh and yeah, hunt the wolves". With not one sentence on how they propose to do that. Under the assumption that Symantec, Imperva, Sourcefire and the lot won't now add missile-armed drones to their network perimeter security arsenal, just what do they propose the average organisation should do to stop the attackers operating out of Russia, China, Romania, Syria, on an on?

2
0
Megaphone

Re: Tallyho?

"by using the products these companies are pushing"

Indeed. Here are security companies saying it's all getting worse so you need more of our products. Actually, that's the wrong conclusion. The correct conclusion is that the current approach isn't working so we need something different. Putting gates across exits from the M25 doesn't prevent bank robberies in Central London. Perimeter defence doesn't work. Better designed banks prevent bank robberies. Better designed operating systems and applications prevent cyber attacks and privacy invasions.

People blame the network for, say, SQL injection attacks. Silliness.

5
0
Silver badge

Re: Tallyho?

All of the security companies have in their license agreement something like: "You accept that we have no chance in Hell of delivering actual security."

2
0
Anonymous Coward

Re: Tallyho?

Here are security companies saying it's all getting worse so you need more of our products

Logically, what they are really saying is "buy more stuff from us, because it didn't work last time either". That's a bit like the current , equally flawed fix to the financial system: "because they ignored our laws, we need more laws".

I recognised that the current approach wasn't working almost 10 years ago and changed tack. The trick is not to restrict your thinking to technology..

3
0
JLV
Bronze badge
Black Helicopters

>add missile-armed drones to their network perimeter

Nah, unleash the black ice of hell.

0
0
Silver badge
Megaphone

"To make it better, CIOs and IT admins need to rethink the way that they approach protecting their networks from hackers and other miscreants."

I think companies should hire better qualified personal and if they actually have those on the payroll also start listening to them.

The main problem in many big companies ("Enterprises") are the sometimes endless layers of managers. In certain cases the management layer has actually grown into an entity of its own. With that I'm referring to Enterprise environments who would hire managers solely based on management skills even though the person in question either completely lacks any in-depth understanding of his department or simply doesn't have enough understanding to fully understand what his team is telling him.

Such a person will more than often make decisions which make him look good. Or put differently: decisions which are most likely not to cause any members of the layer above him to become displeased (or worse) with him (put differently: his department). Even though, especially when talking ICT, sometimes such decisions have to be taken.

"We need to upgrade the firewall today, there have been some flaws found in the operating system so we need to upgrade the kernel. It will require a reboot, so the website(s) will be down for a short moment".

"Ok, but we have a big project coming up this week. Can you guarantee that the website won't be down for more than 5 minutes? No? Then I think we should postpone the upgrade to next week, then it's a much better time. Especially because we won't get as much visitors to the website as we will have this week".

And what do you know; the admin who suggested the upgrade simply couldn't explain well enough that we were talking about a zero-day exploit which could allow 3rd parties to gain access to the server. The manager didn't understand enough from his department to inform about the risks involved, so that he could weigh the risk of a longer downtime to the risk of not upgrading the OS then and there.

The result? Well; you'll be the judge of that. Depending on the flaw and the increase in traffic they could obviously also attract people who might try to exploit said flaw. Or not...

Even so; in my opinion it's issues like these which are the real culprit. The reason I'm pointing to enterprise (-like) environments should be obvious: in many cases when we're talking about break ins and such these are usually involved.

Heck; this could even go as far as an enterprise(-like) environment which provides (hosting) services for smaller companies. In my case there are some very strict rules to follow, which was one of the reason's I started hosting with my current provider: if they detect that you run your own DNS server and it can do recursive lookups for everyone they preserve the right to block said server. If they detect that you run your own MTA and it provides an open proxy then the same rules apply.

How many hosting companies (once again: talking about Enterprise (-like) environments) will simply let it go because they don't consider it their problem ("the customer is responsible for his own server")? Even though enforcing such rules could prevent a lot of Internet "casualties"...

4
1
Bronze badge

I agree with the idea of hiring better people, but perhaps the problem is we simply do not have enough people who can think about the things required in an appropriate manner (speaking about managers). Corollary to that is the fact that many IT-types who have the abilities technically lack adequate communication skills as noted in the article.

As for your assessment of the true nature of the problem, I think you are dead-on. The people mentioned in the article obviously have a vested interest in selling their services to 'solve' the fear they bestow upon their target audience.

I learned about security only after I got hacked on a small personal site with no info on it, oddly enough that is what started me on the road to programming since I had to understand the underlying software. Though, I like the idea of designing data security and as part of this I focused on minimizing data collected to start, before I even sat down to lay out the database or connections to it.

Small data, if I don't need it now, I don't need it.

2
0
Silver badge

"Small data, if I don't need it now, I don't need it."

The BIG problem with that is the fear that you drop the big one, someone else gets it, and leapfrogs you. And in a cutthroat environment such as this, NO ONE wants to drop the big one and get relegated into obscurity or (worse) liqudation.

1
0
Bronze badge

My response to this question

Bossman» "Ok, but we have a big project coming up this week. Can you guarantee that the website won't be down for more than 5 minutes? No? Then I think we should postpone the upgrade to next week, then it's a much better time. Especially because we won't get as much visitors to the website as we will have this week".

Me» No. But we have a hole in the firewall. Do you agree to take responsibility in the meantime for any penetration by intruders, data-loss or data-alteration and the resulting resources required to undo the damage caused? While we have a hole there, I can not guarantee it. I will need the answer in writing.

1
0

What about the LEGAL data aggregators?

As usual, no one is worried about the privacy threat from perfectly legal data aggregators. Look up ChoicePoint or Axciom. These people know more about you even than Google or Facebook.

.......and then there's the worry that someone has hacked THEM!

3
0

Bull

Try hacking an iMessage. Even the U.S. Feds are on their knees begging Apple to help them.

The IT types are years behind. Why? They want everything to go through their servers, which they are not smart enough to secure properly. And they want to be able to put their grubby paws into your email at their leisure, just like a hacker.

It's time to wipe the slate clean, send IT packing, and start over. Servers shouldn't exist at corporate locations.

1
13
Silver badge
FAIL

Re: Bull

Jesus man, WTF are you talking about: "Servers shouldn't exist at corporate locations"? It's obvious you have no idea what many servers are used for so we'll just move past that.

In your scenario who the hell would own the servers? Where would they be located?

4
0
Bronze badge

Re: Bull....Servers shouldn't exist at corporate locations.

Servers shouldn't exist at corporate locations.

What's that smell???

BULLSHIT!!!

Do we have a cloud salesman here!!!!

3
1
FAIL

Re: Bull....Servers shouldn't exist at corporate locations.

They would be located away from you fools who don't have a clue about security.

Why can Apple do it with something as public and seemingly vulnerable as iMessage (feds can't crack it), yet you lot can't do it with a closed (convinced the CEO you could, you lying sacks o'...) network.

That's the BS, sport.

0
8
Anonymous Coward

Re: Bull....Servers shouldn't exist at corporate locations.

@heenow, take the knife in your kitchen and cut out your left testicle/mammary and those of your offspring, and offer a burnt sacrifice to Apple. But don't send it to them. They might not understand your well intended actions. Just let the smoke fill the air. I'm sure your gods will appreciate your rituals.

Here, however, we do not worship corporations or anything for that matter. So your praises and bended logic is not welcome here.

0
1
Anonymous Coward

"It's the hacker you need to worry about, not Google itself."

Amen!

0
2
Anonymous Coward

Re: "It's the hacker you need to worry about, not Google itself."

If you're in the US maybe, otherwise I *would* worry. At the moment, if you're an EU company and use Gmail for corporate email you're simply breaking EU Data Protection laws and taking the rap for Google..

2
0
Bronze badge
Boffin

Re: "It's the hacker you need to worry about, not Google itself."

there's a corporate version of Google Apps that's hosted in Ireland for exactly such purpose

but with generic account, yes, you're right

0
0
Anonymous Coward

There's a better way

"I think that for the last 20 years or so we've taken the approach as an industry of trying to armor the sheep. I think we need to start hunting the wolves,"

Or even better, follow the money and start hunting the wolves bankers.

9
1
Silver badge

Re: There's a better way

You'll just find that the bankers are in cahoots and in the same black side of the industry (IOW, the hackers simply turned to financial groups who know how to run shadow accounts and the like). Also, there's a very real possibility of the backers (already antagonistic to the sheep) also being the bankers. Does the phrase "state-sponsored cyberwarfare" ring a bell?

2
0
Anonymous Coward

Re: There's a better way

I think the economic embargo on wikilieaks showed that this can be applied effectively.

As for state sponsored hacking, that is targetted at espionage not fraud. Countries can print their own money (well, except for those in the EU but that's another story) so they hardly need to skim your bank account.

0
2
Silver badge

Re: There's a better way

You can't use Wikileaks as an example because it was striving to stay on the "legal" side of the coin. All their proceeds had to come from legitimate sources or they'd lose their legitimacy. Black hats have no such moral/legal restraint and can use any and all means to obtain money, including but not limited to money laundering, mules, shadow accounts, and investments in other illicit businesses.

0
1
Anonymous Coward

Re: There's a better way

Banks, even foreign ones, also try to maintain an air of legitimacy. They also depend on an interconnected financial network for viability. Threaten a bank with a complete financial embargo and I pretty much guarantee they'll start questioning the value of their 'shadow' accounts. You may think this is difficult but here's where the Wikileaks embargo is exemplary. It showed that the US is prepared to flex it's global economic muscle when it is pissed, and that global financial organizations are quite happy to help.

Wikileaks is also germane because it and hackers share another common trait. They piss people off all over the world. That makes it easier for govts and organizations that would normally block a US-led embargo to stand aside and allow it to happen.

0
0
Anonymous Coward

@ Charles

"including but not limited to money laundering, mules, shadow accounts, and investments in other illicit businesses"

None of those things you mention are methods of obtaining money.

0
0
Silver badge

Re: @ Charles

Mules are a way. They're not under the eye of the law, so they start the chain in a way that the law can't see. Laundering, shuffling the money multiple times, muddies the trail, and the shadow account helps to hide the money from people like taxmen. Another way is to extort/blackmail/glean financial details, which are then used to withdraw money, take a cash advance, or something else that's hard or impossible for a bank to fully reverse. If the transactions are done a little at a time (smurfing) it will be harder for the banks and law to spot before the point of no return.

The trick is to employ routes that avoid banks and other financial institutions as much as possible. Firms that want to maintain legitimacy keep within their purview as a show of security. The black market wants the opposite: to avoid them.

0
0

political will

.. is not just not there.

I dont want to sound like a bleeding heart hippy but security eats into profits for alot of companies and "the man" is only after profit.

Using more rational phraseology, the current smart meters in the UK is a good example. They are as secure as a paper bag, and would have proceeded with "its good for you" push from government.... but now it seems "national security" may be at risk, it gets a little more of the security attention it deserves.

While there is a divide in what is considered worth protecting, security will continue to be an issue.

6
2
Bronze badge
Facepalm

Re: political will

Wow, so a clever teenager living in his mom's basement (<- insert English equivalent of North American stereotype here) can figure out how much 'leccy' you use and when. If they are really clever, they can hack your payments history and find out what appliances you purchased, but they have to be practical to deduce what is being used and when - and what do you care - or perhaps you are worried they will notice an 18/6 or 12/12 cycle and rip your grow?

0
8
Silver badge

Re: political will

Smart meters do more than that.

They allow different billing rates at different times.

- So a miscreant can raise (or lower) your bill, by moving those times around. Perhaps make the Economy period from 1:00am to 1:05am?

Many allow customers to be remotely disconnected.

- Cutting a significant proportion of a single substation's load instantaneously could easily destroy the remaining customers' equipment due to overvoltage, and may even damage the substation. This has occasionally happened when a JCB has an accident, covered by the excavation insurance. Who pays for your new TV if it's killed by smart meter hacking?

- Imagine what would happen if 10% of a region's demand were suddenly cut off without warning? What if it was more than that?

Given that all potential miscreants will be provided with their very own example of the equipment to play with...

2
2
Anonymous Coward

Re: "billing rates" - Understanding fail

The meter does not decide how much money you are charged. The meter measures how much energy you use.

The billing system then works out how much you should pay based on the times and numbers given by the meter.

The clues are in the names really.

me·ter

noun

1.

an instrument for measuring, especially one that automatically measures and records the quantity of something, as of gas, water, miles, or time, when it is activated.

0
0
Silver badge

Privacy

"Give it up," he said, "it's over – everybody's going to know everything".

Well, he may be right about that, but that lack of privacy is a major factor in the ease with which the miscreants are able to get into systems and hack around. So if he's advocating hunting wolves, I'm sure it wouldn't be too hard to locate Google and the like.

Until that lack of privacy is rolled back somewhat any other actions are likely to prove futile

7
0
FAIL

Sheep

These days noone bothers armouring the sheep, they just armour the pen they're kept in... If a wolf gets into the pen, he can have his pick of any of the sheep who will have become fat and lazy due to the false sense of security provided by the fences.

5
0
Bronze badge

The problem is that our devices are too easily subverted by unexpected inputs.

No one would accept a washing machine that could be reprogrammed simply by a malformed laundry load (unmatched sock), computers need to get to the same place.

We shouldn't be in a situation where every web facing app has to recreate the wheel, some degree of validation needs to happen by the underlying system before anything gets to see the bits.

1
0
Silver badge

Re: The problem is that our devices are too easily subverted by unexpected inputs.

Actually, that can happen in real life. Imagine a sock of just the right material able to slip in through the gap between the tub and the frame, fall into the motor mechanism, and fry it. Congratulations, you just did the mechanical version of a Denial of Service attack: better known as good ol' Sabotage. As for reprogramming it, think of lockpicking or developing a tool to undo one of Apple's screws (or any other "one-way" screw you can imagine).

1
0
Silver badge
Stop

Re: The problem is that our devices are too easily subverted by unexpected inputs.

But that should already be happening at a basic level. If I'm expecting an integer I should be checking it, certainly before passing it to a database.

The thing is, implementing any system wide set of validation rules is sort of tricky without knowing what your software is supposed to be doing and expecting. It's down to devs to write safe code (and mistakes will always happen) and its down to sysadmins to understand their own servers and secure them adequately. Additional software gives some extra protection but if either of those first two fail you're on a hiding to nothing anyway.

1
0
Silver badge

Re: The problem is that our devices are too easily subverted by unexpected inputs.

Plus sometimes there are constraints to consider. There's a reason C and other less-sophisticated languages are still around. More sophisticated languages that build in garbage collecting and type checking inevitably introduce overhead which can cost you in speed, space, or both. If one or both are at a premium, then you're between Scylla and Charybdis. You can be lean or you can be safe but you likely won't have the capacity to be both unless you bodge it yourself. It's like trying to cram a bigger machine into a smaller frame: physics dictates some things won't make into the finished product unless you customize.

1
0
Stop

NOT correct

You don't really need the inefficiency of Java or C# to have a memory-safe Programming Language. Most of the useful C++ efficiency can be retained in a memory-safe language. See this creation of mine:

http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/doc/SAPPEUR.pdf?force=True

http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/

It has

+ C++ style Destructors

+ object arrays (as opposed to reference arrays)

+ almost all objects and arrays can be stack-allocated

+ efficient object aggregation (as opposed to aggregation by reference)

+ pointers which are automatically reference-counted and call synchronous destructors when required (as opposed to asynchronous GC)

+ is soft-realtime capable (as opposed to GC)

+ type support for memory-safe multithreading

+ efficient generic types

Essentially, Sappeur is a safe subset of C++ and retains almost all performance features while getting rid of things like "pointing inside an array" and "funny casts out of laziness".

0
0
Silver badge

Re: NOT correct

Memory-SAFE...but what about memory-EFFICIENT? Can you compile a Sappeur program to run in a limited memory profile, say an embedded device? IOW, can you be BOTH memory-safe AND memory-efficient? What safeguards bounds and other things as such at runtime if there's no extra memory to manage it? That's the tradeoff I'm talking about. It's not always about performance efficiency.

0
0
Silver badge
Thumb Down

Start off with a turd? Expect me to read this?

"We've got North Korea with ICBMs and we've got Iran developing an atomic bomb, but that's not our biggest problem" Brocade Communications chairman David House said

Iran is developing an atomic bomb? Says AIPAC and various sycophants of BushCo, which includes the sorry editorials of WaPo (yes, you Hyatt, you prick) and the War Street Journal.

Instant disqualification as mouthpieces of the War Lobby.

You, Mr. House, are just another useful idiot.

5
2
Bronze badge

lost my ass

I just checked -- I have 7,253 hosts/domains in firefox that are blocked from storing cookies in my browser. Only 378 are allowed to store cookies forever(most of those appear to be work related). Another 2,832 hosts I trust enough to allow cookies for the browser session only. This list is built up over the past probably six years now I have had firefox prompt me for each and every cookie that comes in. The number of cookies on some sites is astonishing. Sometimes I just turn off cookies entirely when I am browsing around gaming sites(which is quite rare), the sheer number of prompts is just insane.

I checked the numbers by looking at the firefox permissions sqlite database.

There are times when I have to click through 50 cookie dialog prompts to get to the website in question, because all of these objects are loaded at the same time and they all want to try to set a cookie. But that's the price I pay. Once the preference is stored in firefox I don't get further prompts from that host.

Sometimes I have to go in and undo a cookie preference if it breaks a site I need to use. That can be annoying, though often times I just use another browser temporarily (it's pretty rare).

Most of those tracking places(I worked for one of them for a couple years they have a good privacy rating) don't track you by any other means than cookie, if you block the cookie you're invisible. There are other ways I am exposed of course through linkedin(been wonderful for my career over the years), or my blog(similar -- though took me many years to cave in to that. blog is hosted on my personal colo server) or something. But those I have more control over. I am willingly surrendering that information to the public. Cookies are a different category. I don't use other social media sites. I do my own web site and email hosting(again on my personal colo), etc...

Though I admit for the more typical user the privacy war is lost -- but for most of those average users they didn't care to begin with, I go back to that survey a while back which placed the value of privacy for folks at about the price of a candy bar(that is they would give up their privacy for the candy bar).

1
0
Anonymous Coward

Re: lost my ass

I work the other way around, let the cookies in but delete them pretty quickly.

After I've been to my bank or a gaming site I just Ctrl+Shift+Delete and all cookies, history, cache is gone.

Try this experiment. Install NoScript and Ghostery in Firefox.

Go to Sky News or the Daily Telegraph, nothing will work.

In NoScript "Temporarily allow all this page".

Watch as Ghostery starrts. to block all the trackers and notice that NoScript has detected yet another script!

It is almost never ending and whatever you try the videos won't play. If I really want to see the video I search for it on YouTube.

0
0
Flame

Re: lost my ass

You assume they only track via Cookie. Sure as hell the "expert" collectors such as Google and Facebook will collect based on IP address. Flushing the cache and maybe even complete blocking of Cookies won't help much, as they still have your IP address, which is typically good for an entire day. It's sufficient to log into webmail once to nail that IP to your account. For the rest of the day, they don't need any cookie to associate all your browsing quite effectively to your person. And of course, they can go back in time if you log into your email after having done other web-based traffic. That works for many scenarious of DSL routers.

And, sure as hell the webmail companies will sell the Clearname/day/IP address tuple to whoever pays most. Except if it is Google, they want it for themselves and the powers that be.

Use a proper anonymizer if you want privacy !

0
0
Bronze badge

Re: lost my ass

You assume they only track via Cookie. Sure as hell the "expert" collectors such as Google and Facebook will collect based on IP address.

The IP address is hardly reliable, assuming we're talking IPv4, which we very likely are; they're almost always assigned by DHCP and sitting behind NATting routers, so they don't uniquely identify users. Trackers are likely to start with more reliable techniques, such as so-called "web bugs" and ETag-based "respawning cookies" (which are not cookies at all), before falling back on something as low-signal as an IPv4 peer address.

For some of the big data collectors it's questionable how soon they hit the point of diminishing returns on tracking mechanisms, though. With cookies and Javascript analytics, Google gets the vast majority of its users. The same is true of sites like Facebook and Amazon. They could employ more aggressive tracking, but the incremental improvement to their data will be small. Even for users whose history is obscured, those sites get useful information to add to their aggregate statistics; it's just the history that's missing. That relatively tiny bit of additional history information probably won't affect their models significantly, so why bother with heroic measures?

Firms that sell tracking data as their primary product - KISSmetrics is a good example, since they were at the front of the ETag-tracking controversy - have a reason to use aggressive tactics: they're marketing points ("we can even track users who delete cookies!"). Sites with smaller user bases that really need to get their recommendation systems up to snuff or provide metrics to show advertising performance (hello, Hulu) may also need to get tricky. But Google and Facebook? If they're using the more-intrusive techniques, it's probably developers trying to justify their salaries. I strongly doubt it makes any difference in the models they're building.

0
1
Anonymous Coward

WHOOSH @ Michael

The OP wasn't referring to the internal, local, private IP addresses - which in any case are not available to Internet servers anyway.

He means your public IP, duh, the one your router has. The one all of your clients sit behind using NAT, and therefore appear to have to everyone out on the Internet.

0
0
Silver badge

Network security?

Network security isn't any worse now than it ever was. And it's no better. Also, Unicorns are neither more nor less available. All of these are mythical objects having no substance whatsoever.

2
0
Anonymous Coward

Iran is not developing a nuclear bomb! Does every regular Joe just accept the ridiculous war propaganda without a second thought?

3
1
Mushroom

I am quite sure they do, as Israel has done a long time ago. Or Britain, France, Russia and of course America. Where is the moral and legal justification for denying Iran to have nukes ?

America invented and used nukes. Iran merely wants to defend itself against USrael.

0
1

Page:

This topic is closed for new posts.