Reader Comments

Subscribe: RSS

View by: Time | Thread

• 

  rightnumberone, 16 Sep 2005 @ 11:41am

  
  

  No Subject Given

  Okay, I'll take the bait: Many of today's security problems cannot be prevented by IT personnel, but CAN be prevented by users. For example: frequently, it will be discovered that there is a security vulnerability in, say, Internet Explorer. Miscreants can use that vulnerability to take over any computer, but only if the miscreant can get the user to visit their site through fairly obvious social engineering tricks that just about any 12 year old can spot now. Corporate IT departments cannot prevent the stupid user from visiting the site (which, after all, is promising to end the misery of their daily lives if only they will click on over). Corporate IT departments cannot rewrite Internet Explorer. Only the user can prevent the security breach from occurring by not falling for the bait. And that is why security measures that rely on users not doing stupid things is a poor security system indeed. Yet, here we are. Such a breach is totally unpreventable by IT personnel, and is totally the fault of the dolt user. An IT manager I could, I guess, send out trick emails containing a link to a given page to all users at my company and make that link look especially like a phishing, scamming or virus-infecting email. Then, I suppose, one could keep track of which employees fell for the ruse and opened the page. Then, management could easily identify the dolts within their ranks and fire them as security risks. If one did this for say, 4 or 5 days in a row, I bet that the problem would magically disappear as word got round that an IQ test was ongoing. Alas, I cannot get management buy-in for this proposal. (And please, you Linux folks ...don't tell me the answer is to use Firefox! All software is vulnerable.)

  [ link to this | view in chronology ]

  • 

    jdw242, 16 Sep 2005 @ 12:35pm

    
    

    Re: No Subject Given

    "...An IT manager I could, I guess, send out trick emails containing a link to a given page to all users at my company and make that link look especially like a phishing, scamming or virus-infecting email. Then, I suppose, one could keep track of which employees fell for the ruse and opened the page..."
    
    Did that; sent out phishing bait with a link asking detailed questions to gather account numbers, etc.
    Problem was, nobody took the bait. They all called the helpdesk and asked if it was a real email.
    
    The failing here is those stupid chain letters. If someone sent one out and embedded a bad link in there any insufficiently protected network could be compromised.
    
    I'm confident in the steps we've taken as an IT department to protect the world from our users, as well as our users from the world, but, as you said, all software is vulnerable. Problem there is the manufacturer doesn't seem to care most of the time.

    [ link to this | view in chronology ]

    • 

      GS, 16 Sep 2005 @ 1:26pm

      
      

      Re: No Subject Given

      It's not the fault of IT or the end users. It's the fault of the OS (including browser & email) for including so much "flexibility" that every teenager with too much time on their hands can hack your system. The OS and apps belong in ROM. You don't have hackers taking over your refrigerator or toaster. That's because you can't redesign hardware remotely. Someday this will be a reality. Until then we live in the dark ages of computers.

      [ link to this | view in chronology ]

      • 

        PSC, 16 Sep 2005 @ 2:40pm

        
        

        Re: No Subject Given

        I disagree. It's no one fault but the world's governments. As long as governments continue to treat the people who create this stuff as less than full-fledged criminals, they'll continue on their merry way. Look, the lock on my front door isn't bullet proof; it can be picked, broken, etc. That doesn't mean that that it's the lock maker�s fault if my house gets broken into. But if criminals when caught, aren't sent to jail then it's sending a message that it's OK to break into my house.
        If Germany would have sent that kid that wrote Sasser to jail for 20 years instead of a one-year suspended sentence, hacker may think twice about what they are doing. If instead of paying MS when caught, then setting up shop elsewhere, spammers were sent to jail for a long time, my company wouldn't need to spend thousands of dollars on anti-spam & anti-virus software every year. Any modern system is too complicated to ever be 100% secure, we need to start looking at the problem differently.
        

        [ link to this | view in chronology ]

        • 

          jdw242, 16 Sep 2005 @ 4:14pm

          
          

          Re: No Subject Given

          certainly punishment is a valid argument, but script kiddies as a group are tied to the challenge by adrenaline and a desire to subvert the rules.
          
          If they up the ante by saying you'll go to jail for 20 years, the challenge just got upped big time.
          
          Not slapping on an super-sized sentence can lead to other methods of silencing the inner adrenaline junkie these types have become...
          
          as usual, correct me if I am wrong.

          [ link to this | view in chronology ]

          • 

            PSC, 16 Sep 2005 @ 6:07pm

            
            

            Re: No Subject Given

            While I agree with you that there will always be a group that cannot be deterred no matter how stiff the penalty, "real" punishment I think would have two affects. First, it would deter the causal hacker. These aren't the diehards, these are the ones that download a toolkit, make a few mods, and wait for TV coverage. Secondly, you can�t deter the diehards, but at least you'd get them off the net once you catch them. They can�t code from a jail cell.
            
            All the finger pointing between users, admins, developers, browsers, OSs, etc really bothers me. The discussion we should be having is how do we get these criminals off the street.
            

            [ link to this | view in chronology ]

            • 

              GS, 19 Sep 2005 @ 7:23am

              
              

              Re: No Subject Given

              You guys are still missing the point. The problem here is a fundamentally bad engineering design. Allowing malicious (or accidental!) overwrites of your program data is just asking for trouble. Please observe that we aren't having these same discussions about teenagers hijacking refrigerators or television sets.

              [ link to this | view in chronology ]

• 

  Michael Vilain, 16 Sep 2005 @ 1:28pm

  
  

  Just don't give them the keys...

  Anyone who wants admin (or root) privilege on their desktop box (so they can install stuff on it either intentionally or because it's "their" machine) should become part of the IT team and carry the on-call pager.
  
  You get the midnight-6am Sunday shift...

  [ link to this | view in chronology ]

  • 

    Chris, 16 Sep 2005 @ 1:33pm

    
    

    Re: Just don't give them the keys...

    So, true. Or it could be like my company where our Corporate IT heads specify that all of our domain users are local admins on every machine throughout the country. I wonder if our IT Heads have ever heard of Admin Shares or remote registry access, amongst everything else. Out of 900+ PC users I cannot believe we haven't had an incident to date.
    
    I'm curious how many of our "learned" users have key loggers installed on other people's PC and are checking their email... or reading their sensitive documents.

    [ link to this | view in chronology ]