The Six Dumbest Ideas in Computer Security

[The Grim Squeaker]

interesting read, heres a snippet:
#1) Default Permit
#2) Enumerating Badness
#3) Penetrate and Patch
#4) Hacking is Cool- I've wondered about this myself
#5) Educating Users = people will give passwords away for candy bars

I know one senior IT executive - one of the "pause and thinkers" whose plan for doing a wireless roll-out for their corporate network was "wait 2 years and hire a guy who did a successful wireless deployment for a company larger than us." Not only will the technology be more sorted-out by then, it'll be much, much cheaper. What an utterly brilliant strategy!

The minor dumbs at the bottom really crack me up though:

* "We're Not a Target" - yes, you are. Worms aren't smart enough to realize that your web site/home network isn't interesting.
* "Everyone would be secure if they all just ran <security-flavor-of-the-month>" - no, they wouldn't. Operating systems have security problems because they are complex and system administration is not a solved problem in computing. Until someone manages to solve system administration, switching to the flavor-of-the-month is going to be more damaging because you're making it harder for your system administrators to gain a level of expertise that only comes with time.
.
* "Let's go production with it now and we can secure it later" - no, you won't. A better question to ask yourself is "If we don't have time to do it correctly now, will we have time to do it over once it's broken?"
* "We can't stop the occasional problem" - yes, you can. Would you travel on commercial airliners if you thought that the aviation industry took this approach with your life? I didn't think so.

[Faqa]

I have to take issue with the "penetrate and patch" rant.

It's plain impossible to test the code that thoroughly before release. While it's a good idea to not rely on finding the holes when the system's running, to say that it should be unneccesary to look because they shouldn't be there in the first place is far too utopian. Sorry buddy. Not in any for-profit organization.

And teaching yourself hacking tricks? How the fuck are you supposed to make a secure system if you don't know how they try to break in?

It is an interesting read though.

[Xon]

I've got some issues with some of those items.

For example the Pentrate & patch is a fundamentally unsolvable problem, programming is so horrifically hard you cant do anything but Pentrate/break & patch.

Unless you are willing to spend several trillion dollars and several decades working on a project, you are never ever going to see something like Windows XP or IE without bugs.

[Molyneux]

interesting read, heres a snippet:
#1) Default Permit
#2) Enumerating Badness
#3) Penetrate and Patch
#4) Hacking is Cool- I've wondered about this myself
#5) Educating Users = people will give passwords away for candy bars

I know one senior IT executive - one of the "pause and thinkers" whose plan for doing a wireless roll-out for their corporate network was "wait 2 years and hire a guy who did a successful wireless deployment for a company larger than us." Not only will the technology be more sorted-out by then, it'll be much, much cheaper. What an utterly brilliant strategy!

The minor dumbs at the bottom really crack me up though:

* "We're Not a Target" - yes, you are. Worms aren't smart enough to realize that your web site/home network isn't interesting.
* "Everyone would be secure if they all just ran <security-flavor-of-the-month>" - no, they wouldn't. Operating systems have security problems because they are complex and system administration is not a solved problem in computing. Until someone manages to solve system administration, switching to the flavor-of-the-month is going to be more damaging because you're making it harder for your system administrators to gain a level of expertise that only comes with time.
.
* "Let's go production with it now and we can secure it later" - no, you won't. A better question to ask yourself is "If we don't have time to do it correctly now, will we have time to do it over once it's broken?"
* "We can't stop the occasional problem" - yes, you can. Would you travel on commercial airliners if you thought that the aviation industry took this approach with your life? I didn't think so.

AAH! I've been pissed off about "Default Permit" since I got my first computer! (I didn't know that it was called that, but it's been a major headache). I never understood why the hell I couldn't even just block a Flash file (an annoying ad, for example) from playing on a Website...

[Dahak]

Complex software systems, by their very existance, are not bug-free. You can do your best to keep bugs to a limit with a good design, proper coding technique, and testing. But once you go beyond "Hello World!" it gets ever more complicated and expensive to find bugs.

[Luke Starkiller]

There is one security thing that my company uses that I think is really stupid:

When someone types his password incorrectly thrice, his user account is locked out of the network until the administrator manually turns him back on (which is bad because out IT department takes their sweet time in doing anyting, so the company loses money as this employee can't work...)

I fail to see how this is a good idea at all, and I in fact think it is a horrible idea. Imagine this: what is a malicious user sat down and started randomly punching in user ids (which is easy to get a list of) with bogus passwords, locking user accounts out of the system. A coordinated attack could lock out all the supervisors with ease: effectivly halting business for some time.

I could understand if it locked out a particiular workstation for some time, but the account out of the network hits me as collosially stupid.

My company has something more stupid, when accessing the Intranet it will lock us out after 3 failed passwords, but all we have to do is clear our cookies to be able to log in again.

[aerius]

#6 is quite true. Always let someone else take the hit first and learn from their experiences. Sometimes doing nothing is the best option. If the current system works well, why dick around with upgrades? Oh look, it's new, it's shiny, it's untested, let's go install it on our perfectly setup system and hope for the best! I hate that kind of thinking. Newer is not better. Don't "upgrade" unless there's a compelling reason to do so or if there's substantial benefits.

[Flakin]

There is one security thing that my company uses that I think is really stupid:

When someone types his password incorrectly thrice, his user account is locked out of the network until the administrator manually turns him back on (which is bad because out IT department takes their sweet time in doing anyting, so the company loses money as this employee can't work...)

I fail to see how this is a good idea at all, and I in fact think it is a horrible idea. Imagine this: what is a malicious user sat down and started randomly punching in user ids (which is easy to get a list of) with bogus passwords, locking user accounts out of the system. A coordinated attack could lock out all the supervisors with ease: effectivly halting business for some time.

I could understand if it locked out a particiular workstation for some time, but the account out of the network hits me as collosially stupid.

Nooo... this is a necessary evil to stop brute force attacks. Given enough time and effort, any password will eventually be cracked if infinite attempts are given. That's why complexity rules should be set for the passwords (Certain amounts of numbers, variation of capital and lower case letters, use of special characters).

Now, regarding your thoughts about locking out all the admin user ID's, a proper environment will be set up where one admin account will be set to automatically unlock after a given period of time (Many firewall products and routers have this type of security configuration) - and should the password of any admin account become locked, a well configured system will send out an alert notification to the system administrators.

At a bank I worked for about four years ago, we had an external contractor come in and attempt to penetrate our Windows NT domain. He succeeded in performing what you stated above - he locked out every single user ID on the network in the middle of a work day (resulting in a hurried phone call to our department to say "Oops!".) Thanks to our having a 'hidden' administrator account we were able to have the entire network user list unlocked within 10 minutes, and the contractor duly escorted to the front door of the building.

And as long as physical access to the domain / password management servers is maintained by the system administrators, there's plenty of recovery measures that they can take place.

[Beowulf]

There is one security thing that my company uses that I think is really stupid:

When someone types his password incorrectly thrice, his user account is locked out of the network until the administrator manually turns him back on (which is bad because out IT department takes their sweet time in doing anyting, so the company loses money as this employee can't work...)

I fail to see how this is a good idea at all, and I in fact think it is a horrible idea. Imagine this: what is a malicious user sat down and started randomly punching in user ids (which is easy to get a list of) with bogus passwords, locking user accounts out of the system. A coordinated attack could lock out all the supervisors with ease: effectivly halting business for some time.

I could understand if it locked out a particiular workstation for some time, but the account out of the network hits me as collosially stupid.

DoS vs. brute force attack on passwords. Solution to the lock out is an account that can only be used to login physically to the domain server. Also, make the usernames not easily the determinable.

[bilateralrope]

Nooo... this is a necessary evil to stop brute force attacks. Given enough time and effort, any password will eventually be cracked if infinite attempts are given. That's why complexity rules should be set for the passwords (Certain amounts of numbers, variation of capital and lower case letters, use of special characters).

You could put a small delay after each failed password attempt. Since brute force works by trying every possible combination till it finds the correct one, its only effictive if eaither there is a small range of possible passwords (which is very stupid) or it can go through quite a lot in a short space of time.

So if you set it up that after each failed attempt the computer will stop responding for a few seconds (with the complexity rules on passwords) you will not really inconvienience anyone who mistypes their password, but brute force will be severally hampered. After a preset number of attempts you could set it up to increase the delay and/or notify someone else.

All this would really do though is make sure that the person operating the computer is the weakest part of the security, since if they give their password to the wrong person, that person can log in on the first attempt, thus bypassing all of this

[Flakin]

You could put a small delay after each failed password attempt. Since brute force works by trying every possible combination till it finds the correct one, its only effictive if eaither there is a small range of possible passwords (which is very stupid) or it can go through quite a lot in a short space of time.

That's what windows and most other modern OS's do after 4 or 5 failed attempts. It still doesn't stop the attack being run though, and given enough time, a password will fail. If the account locks, then the attempt is over until someone in authority has unlocked it. And if the account repeatedly locks, that gives an opportunity to find the source of the tampering.

So if you set it up that after each failed attempt the computer will stop responding for a few seconds (with the complexity rules on passwords) you will not really inconvienience anyone who mistypes their password, but brute force will be severally hampered. After a preset number of attempts you could set it up to increase the delay and/or notify someone else.

True, but what, for example, happens if the attacker already knows a fragment of the password, through either shoulder surfing or social engineering? You can't take chances with this crap. To me, the three strikes and 'oh bollocks!' rule has always seemed fair on a business network.

Now, some of these brute force measures, such as password locking and severity rules, can eventually be relaxed in most business environments with thanks to such things as Biometrics and RSA tokens.

All this would really do though is make sure that the person operating the computer is the weakest part of the security, since if they give their password to the wrong person, that person can log in on the first attempt, thus bypassing all of this

But of course. That's when you have a half decent Intrusion Detection system in place to detect normal user behavior and when it goes wacky starts ringing some alarm bells. The end user is always the weakest link. I recently obtained the CISSP cert, and read case study after case study where well meaning people were tricked out of giving up their passwords through the simplest of methods. End users also trip over network cables, unplug servers to put in a stereo system, put coffee on top of their PC's, leave screens unlocked, write passwords down on post-it notes on their monitor screen, make passwords the name of their significant others, send insecure emails through the Internet complete with their personal details, go to websites and install spyware because 'I like to see the sports scores".. there's really no end to what an end user can do to fuck up a network. The trick is to have a security policy that tries to cover as much of it as possible and make users aware.

But computer security is like an onion (as one of the CISSP books I read told me) - it's all layers of protection. You can't completely secure anything. You can just try and make it as secure as you can, and three strikes and then call an admin / helpdesk for a password policy isn't too great a hardship to me. But then, I'm a jaded old sys admin / IT manager who gets weary of user complaints...