HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Hackers Are Winning Security War
- Thread starter HardOCP News
- Start date
We have various types of insecurity and measures to help improve security, which has been done since the stone ages, and yet still they were never perfect. You don't just do XYZ and you're perfectly secure. (Ok, maybe you can do XYZABCGHI, but that will cost a lot and increase the relative dependence on the people factor of it.)
Why do we (the security industry) keep trying to say we're screwed, because hackers still exist and break into things?
Granted, *I* do think we're losing, but it needs to be carefully framed that we're not losing just because there are still breaches announced. That will always happen. We just need to stem the tide of dead simple, successful attacks. That and start to understand that the business is not going to be interested in spending a lot of money to reduce a possibly small risk to nil.
Besides which, most of the people are RSA have those hackers to thank for their continued paychecks.
Why do we (the security industry) keep trying to say we're screwed, because hackers still exist and break into things?
Granted, *I* do think we're losing, but it needs to be carefully framed that we're not losing just because there are still breaches announced. That will always happen. We just need to stem the tide of dead simple, successful attacks. That and start to understand that the business is not going to be interested in spending a lot of money to reduce a possibly small risk to nil.
Besides which, most of the people are RSA have those hackers to thank for their continued paychecks.
As long as you have users you can never really be secure. All it takes is one human mistake and bam the best security is useless.
As my favorite IT saying goes, The Network was perfect.... and then there were users.
Their will always be breaches , because their will always be someone who is smarter then the next guy, but each creator thinks they are the best of the best. A group of people got together and collectively created the League of Nations after WW1, their collective minds could not stop WW2. A group of our most brilliant people got together and collectively created the United Nations after WW2 which was going to stop all wars and guess what their is a war going on somewhere on this planet. Human beings as such are just to infallible to think otherwise, ehh at least we try.
fattypants
2[H]4U
- Joined
- Mar 3, 2010
- Messages
- 3,284
New standards and protocols for security are needed. Toss out everything, start fresh.
I'm sure some of the great minds already have been thinking about this, but it's going to take a monumental effort to undo everything and rebuild.
No matter what they decide on, it will be a lot better than congress' solution is going to be (give any government agency with a three-letter acronym unfettered access to everyone's stuff).
I'm sure some of the great minds already have been thinking about this, but it's going to take a monumental effort to undo everything and rebuild.
No matter what they decide on, it will be a lot better than congress' solution is going to be (give any government agency with a three-letter acronym unfettered access to everyone's stuff).
HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
EchoMatrix
Gawd
- Joined
- Feb 1, 2005
- Messages
- 806
I honestly thought this would happen sooner. You never heard of this during the 80's or 90's when WarGames or Hackers came to theaters. They need to make another one too.
DeathPrincess
Fully [H]
- Joined
- May 15, 2010
- Messages
- 18,205
Didn't this happen in arms races? One side had sticks, then the other got pointy sticks and everyone was all "screw it how can we compete with pointy sticks 
"
Oh wait it didn't... Apart from a few times in history when a certain side has technological advantages (British empire, because of ships and guns, Macedonia with better weapons and unit tactics) or by luck, people are balanced out by each other by improving technology and tactics. If the stuff they do now doesn't work, they need to come up with something new, while expecting it to be circumvented.
"Oh wait it didn't... Apart from a few times in history when a certain side has technological advantages (British empire, because of ships and guns, Macedonia with better weapons and unit tactics) or by luck, people are balanced out by each other by improving technology and tactics. If the stuff they do now doesn't work, they need to come up with something new, while expecting it to be circumvented.
They need to make Hackers on Bluray for starters. This is a travesty to not have available.
Didn't this happen in arms races? One side had sticks, then the other got pointy sticks and everyone was all "screw it how can we compete with pointy sticks
Oh wait it didn't... Apart from a few times in history when a certain side has technological advantages (British empire, because of ships and guns, Macedonia with better weapons and unit tactics) or by luck, people are balanced out by each other by improving technology and tactics. If the stuff they do now doesn't work, they need to come up with something new, while expecting it to be circumvented.
That works great when two sides are actively trying to beat the other. In the case of most business and digital attackers, the business has no interesting in "beating" the other side; just in protecting its own interests. Just like most households aren't out there trying to stop burglars, but instead do as much as they get off their ass to do to alarm, detect, and protect their own home. (Most don't do nearly enough, just like business.)
Right now, attackers prey on business, and IT/security fights with business to get things done right. It's not like attackers are winning with impunity because of lack of tools or techniques or talented people. It's because business doesn't spend the resources to be secure in the first place.
RealityCrunch
[H]ard|Gawd
- Joined
- Nov 16, 2011
- Messages
- 1,393
"Someone didn't bother reading my memo on commonly used passwords." The Plague
DeathPrincess
Fully [H]
- Joined
- May 15, 2010
- Messages
- 18,205
Look at defence then starting with mud walls. All the time defensive structures have been designed to stop attackers, and when a new technology comes along further updates are made and then improved. Even when cannon technology came along people adapted, same with planes and nuclear warheads.
It's all about survival of the fittest. The stupid buisness models will fail, and the working models will take their place. The vast majority of the time security models fail because of some silly mistep (usually the human element). You learn from this or adapt, or you lose everything. A mistake is never a bad thing, as long as you adapt and don't make it again. Giving up and saying "we made some mistakes and it's haaard not to" is just lazy, and the buisnesses that do so shall disappear and be replaced by those that do bother.
That's the other problem: Point out to me how many business models have failed due to insecurity or hacker attacks.
Not many people have lost everything due to this. There's a *huge* economics elephant in the room.
You might be able to be one these days! LOL
Much of the time these companies have poor web developers (or poor decisions-makers who don't make security a requirement) who leave SQL injection holes in their websites. This leads to full database access and disclosure, which in turns means passwords/personal info access and disclosure.
These aren't hard problems to fix, but it does take time, effort, education. Most businesses (and even most people in general) when faced with a deadline will take the gamble of delivering on time and hopefully no one attacks them, or maybe they'll put in security later or something.
fattypants
2[H]4U
- Joined
- Mar 3, 2010
- Messages
- 3,284
I'm not sure if it's lazy or calculated.
If businesses whine to the government enough (or rather, just dump truckloads of money into their campaigns), security could become one cost of business that they can offload on taxpayers.
D
Deleted member 126051
Guest
The main problem is that "security" is treated as a product.
"Buy this, do this, set this, etc, etc AND THEN YOU'RE SECURE!"
It's bullshit. I know it. You know it, and so to the shills shoveling their "security" crap at you.
Security is an ongoing and evolving process. And it requires that people actually understand it and the reasoning behind it.
Unfortunately, there are so many vectors of intrusion available that most end-users quite simply devote that much attention to it and still do their jobs (most of which have little to nothing to do with security).
And, due to the above, unfortunate circumstance, security is NOT about "keeping people out of your systems". Because the systems you're putting into place are supposed to be there to allow access. And there's never going to be a perfect balance between access and exclusion.
Security is about making your particular little corner of the net so much of a HASSLE to get into in an unauthorized manner that the malicious people give up and move on to greener pastures.
Raymond Teller (of Penn and Teller) actually codified this in one of his rules for selling a trick. You make the secret a lot more trouble than the trick seems worth.
Some people take this to mean the aforementioned "throwing money at the problem" by buying "security solutions". And, because they themselves don't understand, it doesn't work.
"Buy this, do this, set this, etc, etc AND THEN YOU'RE SECURE!"
It's bullshit. I know it. You know it, and so to the shills shoveling their "security" crap at you.
Security is an ongoing and evolving process. And it requires that people actually understand it and the reasoning behind it.
Unfortunately, there are so many vectors of intrusion available that most end-users quite simply devote that much attention to it and still do their jobs (most of which have little to nothing to do with security).
And, due to the above, unfortunate circumstance, security is NOT about "keeping people out of your systems". Because the systems you're putting into place are supposed to be there to allow access. And there's never going to be a perfect balance between access and exclusion.
Security is about making your particular little corner of the net so much of a HASSLE to get into in an unauthorized manner that the malicious people give up and move on to greener pastures.
Raymond Teller (of Penn and Teller) actually codified this in one of his rules for selling a trick. You make the secret a lot more trouble than the trick seems worth.
Some people take this to mean the aforementioned "throwing money at the problem" by buying "security solutions". And, because they themselves don't understand, it doesn't work.
InternationalHat
[H]ard|Gawd
- Joined
- Aug 13, 2004
- Messages
- 1,481
If you have external-facing internally developed applications you need to include trained and dedicated code security people in your SDLC. Without that, all the security audits and firewalls in the world are pretty useless.
I've been saying this for years, and I would love to make this my niche but everyone wants to go out and hire (big consulting name) to come in and bang around on their apps with some tool for a few days or do an external pen test. There are great security people out there, but even the best of them will never have the same perspective as someone who has been watching the code and application from day 1.
I've been saying this for years, and I would love to make this my niche but everyone wants to go out and hire (big consulting name) to come in and bang around on their apps with some tool for a few days or do an external pen test. There are great security people out there, but even the best of them will never have the same perspective as someone who has been watching the code and application from day 1.
fairlane
Limp Gawd
- Joined
- Jun 18, 2004
- Messages
- 297
I think it is very possible to write software that its code is free from errors. I don't think that it will take a human auditing the code though, to achieve this. There are a few albeit preliminary auditing programs, that are being tested to audit code that programmers write. This way, there is no way to miss a mistake in the coding language. (well, that's the goal anyway)
Nine times out of ten the reason an exploit is found and used (usually from buffer overruns or jumping the stack) is because it was missed during the auditing process, before its release. As some have stated, this stems from a few reasons; from Management pressuring the development team to hurry the product out the door, to just plain inertia. Security has historically taken a back seat to profit or convenience.
From the server side, SQL has been always been a culprit; from the administrator being either unskilled or just lazy in properly configuring the database. There are other reasons I'm sure; from servers storing critical personal data unencrypted (or using weak encryption) to poor policy decisions made by upper management and of course, as others have voiced here, users choosing poor password strength.
What I hope would happen, is that if the core of people's concerns is their personal data, or money for that matter, then a bank, for example, should not hold a customer liable for loss of their money, if the banks servers are breached - A customer's password was too weak is a poor excuse for not being liable, especially when its very easy to enforce a strong password policy - these days anywhere from 10-16 alphanumeric characters (upper/lower case, numbers and symbols) to minimize risk.. So why don't the banks do it? Again, inertia. It's too complicated for them to do. It's too expensive.. etc..
So, if a bank is breached, and customer's accounts are emptied, a bank should insure their customer's money, no matter how little or how much was lost. Banks have constructed weak protection policies regarding their customers - if strange activity on an account is not reported within a certain time frame etc... those types of rules should be re-examined if "we're losing the war on hackers".
Nine times out of ten the reason an exploit is found and used (usually from buffer overruns or jumping the stack) is because it was missed during the auditing process, before its release. As some have stated, this stems from a few reasons; from Management pressuring the development team to hurry the product out the door, to just plain inertia. Security has historically taken a back seat to profit or convenience.
From the server side, SQL has been always been a culprit; from the administrator being either unskilled or just lazy in properly configuring the database. There are other reasons I'm sure; from servers storing critical personal data unencrypted (or using weak encryption) to poor policy decisions made by upper management and of course, as others have voiced here, users choosing poor password strength.
What I hope would happen, is that if the core of people's concerns is their personal data, or money for that matter, then a bank, for example, should not hold a customer liable for loss of their money, if the banks servers are breached - A customer's password was too weak is a poor excuse for not being liable, especially when its very easy to enforce a strong password policy - these days anywhere from 10-16 alphanumeric characters (upper/lower case, numbers and symbols) to minimize risk.. So why don't the banks do it? Again, inertia. It's too complicated for them to do. It's too expensive.. etc..
So, if a bank is breached, and customer's accounts are emptied, a bank should insure their customer's money, no matter how little or how much was lost. Banks have constructed weak protection policies regarding their customers - if strange activity on an account is not reported within a certain time frame etc... those types of rules should be re-examined if "we're losing the war on hackers".