back to article Daft users and insecure web apps dominate threat index

Cyber criminals and spies have shifted their focus of attack in response to improved security defences. Facing improvements in system and network security, crackers have two new prime targets that allow them to evade firewalls, anti-virus, and even intrusion prevention tools: users who are easily misled and custom-built …

COMMENTS

This topic is closed for new posts.
  1. Glenn Gilbert

    Step 1: remove internet explorer

    Step 2: remove messenger

    Step 3: remove office

    There's a trend here...

  2. Bernard Mergendeiler

    Step 4

    If it's a Windows system, rename the Administrator account to something reasonably obscure and unguessable

  3. Jason Togneri
    Unhappy

    Congratulations!

    Once more, we come to the exact same conclusion as every time: regardless of security, scanners and firewalls, the single greatest problem regarding computer security is the utter morons who use the things - "the problem lies quite clearly between the screen and the chair".

  4. EvilFairy
    Pirate

    Better security

    A more secure approach would be

    Step 1: Remove unnecessary internet access from users

    the fact is most users have no need to access the internet, and without access can't get their systems infected apart from through email viruses or trojans

    Step 2: Disallow external mailing unless required for the job

    if they cant mail anyone outside the company or receive emails from outside, they cant leek passwords or get infected from outside

    Step 3: Train users that have internet access and email to be safe on line and understand how to use a computer

    Step 4: shoot the ones that leek info/ get infected systems

    they clearly didn't learn anything in their training and hopefully you cought them before they breed

    Step 5: don't use web apps, anything thas accessible on the internet can be assumed to be insecure

    Step 6: sod it, live in a cave with no power your data and computer will be secure then :)

  5. Chris Miller

    It's worse than that, Jim

    "Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all web applications,"

    What do businesses want from their web apps? They want them to look good, be responsive and they want them yesterday. Security doesn't come into the equation, even if developers had access to the necessary testing tools (which most of them don't). Web application security is going to get a whole lot worse before it gets better.

    http://xkcd.com/327/

  6. Anonymous Coward
    Happy

    @Gilbert

    Yes that's right, by not running MS and only Firefox & Linux you will be 100% totally safe, no need for updates, patches firewalls a/v etc etc, you are totally safe, 100%, yes, totally safe, no flaws in those babies, 100% secure.....

  7. Nick Ryan Silver badge

    Developers...

    Developers... the problem with almost all (new) developers these days is that they're entirely and utterly clueless about ANYTHING that happens below the level at which they point, click and drag stuff around the screen to make an "application".

    I've recently encountered "developers" who had no idea of the difference between tinkering with scripting and programming, had no idea what the hell an object is (even though they use them all the time) and haven't got the slightest clue how a network connection actually works.

    But it's all OK really, because the exam results are way up and the new developers have all been successfully brainwashed into believing that anything non-Microsoft is "bespoke" (so shouldn't be touched) and there is only one word processor, one spreadsheet application, one web server application, etc.

  8. Glenn Gilbert

    Security, ease of use, low cost - pick any two

    The reason IE's so insecure is that its code base goes back to the days when Microsoft didn't know their arses from their elbows when it came to writing applications. They have changed and are definitely getting better. However they're stuffed with crap ancient code which is full of bugs - that's if it makes any sense as it's purported to be nigh-on impossible to understand as it's been modified so much over the years. And, lets face it, MS did nothing with IE6 from 2001 to 2006.

    So, on the one hand there's IE which is based on an ancient engine and has security features from the dark ages of the browser wars (e.g. activex). On the other there's the relatively newcomers including Firefox which uses Open Source techniques and so has many times more programmers examining the code.

    Which one's more likely to be secure?

    Wouldn't it be great if the EU demanded that MS extracted IE from their operating systems. It would do masses of good for the security of the clients.

  9. Kwac
    Unhappy

    @Stu Reeves

    I think you miss Glenn Gilbert's point.

    the item is headed 'daft users & insecure web apps".

    By attempting to ridicule a pertinent point, i.e. that Windows, IE & Outlook Express, etc as shipped by MS over the 15 years - set up already set up for by pillocks for other pillocks so they don't need to think, fall neatly into both categories.

    Why you mention Linux & Firefox I'm unsure.

    If e.g. Ubuntu, RedHat, SuSE et al followed MS example and automatically allowed admin rights for every user, or built a browser into the OS, I'm sure they'd have the similar problems - and would deserve to be pilloried.

  10. Anonymous Coward
    Anonymous Coward

    I've said this a thousand times

    Security is only as good as your most stupid user... secondly, if builders built buildings the way programmers write code, the first woodpecker that comes along is going to destroy civilization.

  11. Scott Mckenzie

    MMmmmmm......

    ......Mac.

  12. Chris Cheale

    insecure web-apps

    Well, yes - comparitively speaking web based applications will always be the weak point in the security chain - they have to be known, public locations.

    The trick, I reckon, is to work out what your web-app needs to know. Does it need access to the back office? Really (the answer here should be "no")? How much user data does it need and how much should be encrypted? How are you maintaining sessions and preventing hijacking? Does it matter if the session is hijacked ("if you are not Chris Cheale - click here" Amazon style)? This rather depends on what that session allows access to; is it a "public" or "private" session?

    Another thing is how well your app cleans up after itself; just how good is the garbage collection? Don't leave dead session (or other) data lying around - it's just asking for trouble. Oh, and trust no-one - sanitise all data going between your application and display layers - type fix it where you can.

    What worries me a little is that because I'm an entirely self-taught LAMP-type developer, I'm sure there are things I'm missing - so I never stop trying to learn.

    What worries me a _lot_ is the amount of code for web-apps I've seen that is utter shite; that I'd be ashamed to put my name to, let alone charge anyone for.

  13. Anonymous Coward
    Flame

    @Scott

    Careful with that, ensure flame retardent coat is donned!

    iFlamers incoming!

This topic is closed for new posts.