Forgot your password?
typodupeerror
Google Security Microsoft Privacy Your Rights Online

The Effect of Snake Oil Security 110

Posted by timothy
from the homeopathic-snake-oil-is-better dept.
Trailrunner7 writes "Threatpost has a guest column by Robert Hansen (aka Rsnake) about the long-term effects of snake-oil security products. 'I've talked about this a few times over the years during various presentations but I wanted to document it here as well. It's a concept that I've been wrestling with for 7+ years and I don't think I've made any headway in convincing anyone, beyond a few head nods. Bad security isn't just bad because it allows you to be exploited. It's also a long term cost center. But more interestingly, even the most worthless security tools can be proven to "work" if you look at the numbers.'"
This discussion has been archived. No new comments can be posted.

The Effect of Snake Oil Security

Comments Filter:
  • Good, Bad and Ugly (Score:5, Interesting)

    by hhawk (26580) on Wednesday September 08, 2010 @08:19AM (#33507192) Homepage Journal

    I think it's also a very hard concept that Good security can fail some times as well, so it's hard for some managers and others to understand the difference between good security failing and bad security having really never worked at all...

    Good security can fail when new venerabilities are found, when risk assessments are not up dated in a timely manner, to do human / operator errors, etc.

    • by JeffSpudrinski (1310127) on Wednesday September 08, 2010 @08:32AM (#33507252)

      It can also be hard for folks to understand that you need layered security and that sometimes what worked at one time should be replaced.

      We recently migrated from one solution (McAfee) to another (Sophos). Company management eventually bought in, but the question has been asked "Why were we running inferior stuff to begin with?" McAfee wasn't inferior when we went to it (eight years ago)...they just simply didn't keep up with the times.

      Threat vectors change over time and it is necessary to make yourself essentially a "moving target" by not relying on a single (or even the same) solution over time. If you do an audit and find something lacking...replace it.

      Just my $0.02

      -JJS

      • by Anonymous Coward

        McAfee wasn't inferior when we went to it (eight years ago)

        McAfee has been inferior pretty much since they moved the product from DOS to Windows.

    • by Anonymous Coward

      See: the original blog entry [ckers.org]

  • by suso (153703) *

    Insightful article. It was worth it just to read the bear in the woods analogy, which will give you a good laugh.

    • by tverbeek (457094) on Wednesday September 08, 2010 @08:48AM (#33507346) Homepage

      I was disappointed that the bear-in-the-woods analogy involved neither shit nor the Pope, but it was insightful nonetheless.

      • by Larryish (1215510)
        What does drinking beer in the woods have to do with security?
        • by Anonymous Coward

          If you're not secure enough while you're drinking in the woods, you'll get turned into bear shit.

        • by tsalmark (1265778)
          With out WiFi you can not be hacked in the woods while drinking beer. How ever Rain, children with half melted marshmallows and chipmunks can all necessitate a trip to your local computer store.
    • by (Score.5, Interestin (865513) on Wednesday September 08, 2010 @09:18AM (#33507558)

      Insightful article. It was worth it just to read the bear in the woods analogy, which will give you a good laugh.

      Preved?

    • by Joebert (946227)

      Think about the bear analogy again. If you feed the guy next to you to the bear, now the bear is satiated. That's great for a while, and you're safe. But when the bear is hungry again, guess who he's going after? You're much better off working together to kill or scare off the bear in that analogy.

      Unless you're smart, like Betty White in Lake Placid.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Rudyard Kipling said it better...

        IT IS always a temptation to an armed and agile nation,
        To call upon a neighbour and to say:
        "We invaded you last night - we are quite prepared to fight,
        Unless you pay us cash to go away."

        And that is called asking for Dane-geld,
        And the people who ask it explain
        That you’ve only to pay ’em the Dane-geld
        And then you’ll get rid of the Dane!

        It is always a temptation to a rich and lazy nation,
        To puff and look important and to say:
        "Though we know we should defeat

  • by Anonymous Coward

    But more interestingly, even the most worthless security tools can be proven to "work" if you look at the numbers.'"

    Of course.. look at Mcafee

  • In short (Score:5, Insightful)

    by guruevi (827432) <evi@NOSpam.smokingcube.be> on Wednesday September 08, 2010 @08:24AM (#33507220) Homepage

    Statistics can be made to show anything, managerial and C-level executives have to be more responsible and in the end it's cheaper to just let the customers eat the costs of bad security rather than fail trying to do something about it.

    The main problem imho is that there are no real punishments when something goes bad. If somebody gets hacked the old adage of "it's happening more often throughout the industry" is used to redirect the blame from the gatekeepers to the attackers. If somebody doesn't get hacked while the competition is, the executives get praised even though they might not have done anything meaningful. Back in the day when castles (security products) were used to protect a lord (the data or the company) and the gatekeeper (managers and sysadmins) didn't do their job, the gatekeeper would get flogged, stripped naked and/or executed. The soldiers didn't blame someone else when somebody invaded their castle and they didn't pat themselves on the back as 'doing a good job' when the neighboring castles were ransacked.

    Security procedures have nothing to do with the rest of the industry. Most likely they're unique to your company and structure, and one time, you're going to be up for a targeted attack and you should be ready at all times.

    • Re: (Score:3, Insightful)

      by John Hasler (414242)

      ...in the end it's cheaper to just let the customers eat the costs of bad security rather than fail trying to do something about it.

      Not if the customers react by taking their business elsewhere.

      • Re: (Score:3, Insightful)

        by jimicus (737525)

        Not if the customers react by taking their business elsewhere.

        They haven't yet.

      • Re: (Score:3, Insightful)

        by Bert64 (520050)

        Which in many cases they can't do, since they're locked in.

    • Re:In short (Score:4, Insightful)

      by BobMcD (601576) on Wednesday September 08, 2010 @10:40AM (#33508292)

      The main problem imho is that there are no real punishments when something goes bad.

      This is quite true, but there's simply no viable alternative. Who would wield the power of 'real punishment' in the hypothetical 'fix' scenario? The government?

  • by Anonymous Coward

    Meh, everybody knows that a big fence grabs the attention, because you "must" have something to hide.
    Anybody can kinda protect a Windows machine by just having spybot, a password and a firewall on his modem/router, for free.
    But any big (I mean non free) antivirus will be useless against the stupidity of the end user.

    - Do you really want to open pornIMG.exe ?
    - YA RLY!

    • by Dr_Barnowl (709838) on Wednesday September 08, 2010 @09:02AM (#33507442)

      Well, no. Most of them are configured to remove the possibility of that choice from the user - if they detect a virus, they quarantine the file and don't give you a choice. It's more that they can't detect everything. After that, it's not the virus scanners fault if users have poor digital hygiene.

      For what it's worth, I run my personal Windows boxes without anti-malware and anti-virus, respect a few general principles, and don't have problems. But explaining this to common users seems to be impossible. They seem to be unable to apply general principles, instead needing specific directions for every little circumstance.

      People will scoff at the idea that Unix has a more secure model, but really little things - like the executable bit, like not running as admin - raise the barrier for malware. .NET tried to implement a third way - by sandboxing applications - but it was realistically too much of a faff to configure, and not much good if you could still write all your malware in plain C.

      • Re: (Score:3, Insightful)

        by hedwards (940851)
        That works well, until some jerk finds an exploit in Windows' TCP/IP stack and you get infected by a worm. Or a new attack vector comes out such as the ones that relatively recently allowed for images and PDFs to be infected. Running windows without antivirus and antimalware is irresponsible no matter how careful you are, it's not meant to preclude or replace and individuals responsibility, but it works well as a back up.
        • by Bert64 (520050)

          Antivirus is just a filter that will detect and stop the lowest hanging fruit...
          I have done incident response jobs for many many different clients, and without exception every single compromised machine i've ever looked at had some kind of av product installed at the very least. Aside from detecting the most trivial of attacks, it provides a false sense of security and encourages users to be less careful.

        • by Astatine (179864)

          Running windows without antivirus and antimalware is irresponsible no matter how careful you are, it's not meant to preclude or replace and individuals responsibility, but it works well as a back up.

          No, it does not.

          The first thing that the cleverer worms and other malware do after getting a foothold on your machine is disable the AV. You might get a bunch of warnings out of it if you're lucky, but its cleanup routines won't work any more, and it won't warn you about any further infections. You still need that backup, because the only way to be sure you've got the malware off is to wipe and reinstall.

          That's not even considering malware the AV hasn't heard of yet.

          • Re: (Score:3, Insightful)

            by mlts (1038732) *

            TBH, the only thing that really helps with malware infections is having good backups, and a well practiced method of restoring data, either just grabbing a couple files, or a complete bare metal restore from boot media or a PXE server. The ideal media for backups is something that can be set to read-only like tapes or WORM media like optical. This way, malware can't alter the contents once written.

            AV programs are nice, and sometimes they do catch a Trojan or two, but I've cleaned a lot of systems where th

        • Re: (Score:3, Insightful)

          by HungryHobo (1314109)

          antivirus software is useless for actual security, in general by the time the AV detects it you've already been infected and the virus has done it's dirty work.(unless you're lucky and it catches it as it tries to infect you)

          if it's a true worm chances are high you'll be infected before the AV company adds it to their database or before the update is downloaded.
          Antivirus software is an example of enumerating badness.
          You pay a company a few dollars a month to try to keep track of everything bad in the world.

      • by tibit (1762298)

        I agree. I have no AV in my VMware image, and I have had no problems. I run an offline scan of the image's contents using clamav every once in a while, and there was never a problem. But I'd have a very hard time teaching anyone to follow safe browsing rules. People are very reactionary, and as soon as they see an antivirus warning, they go crazy, even if it's just a website warning. They believe, by default, that throwing money on the problem will fix it.

      • by pnutjam (523990)
        No problems that you see...

        How do you know there is not a trojan or a virus lurking on your machine? Do you perform occasional scans?
      • People will scoff at the idea that Unix has a more secure model, but really little things - like the executable bit, like not running as admin - raise the barrier for malware. .NET tried to implement a third way - by sandboxing applications - but it was realistically too much of a faff to configure, and not much good if you could still write all your malware in plain C.

        Data Execution Prevention was enabled in Windows XP SP2. (Shortly after CPUs with the ability popped up.)

        You haven't had to run as administrator since Windows 2000. You haven't had to run as administrator to have all your shitty programs work since Windows XP. You haven't run as administrator by default since Vista.

        • Yes, you haven't HAD to run as admin. (since NT, which I remember). But the default config that Windows does for it's home editions is to configure the first user created as a member of the Administrators group. The pathetic lame-ass situation you describe with applications that require admin privs to even run has been fostered because Windows made it a pain in the ass to elevate privileges, so most software developers wrote all their code with a user in the Administrators group, because being a software de

    • by mlts (1038732) *

      I'd say that isn't the case. Exploits with browsers or add-ons can easily compromise a machine just as badly as an open port. Browser and add-on security is still in its infancy while network security has matured over a number of years. So even with the Maginot line of network stuff, all it takes is one add-on programmed by the lowest bidder to open internal systems wide open.

      The only real fix I know of? AdBlock is your first line of defense. If you want to be sure, run your Web browsing in a VM whose

  • by lightspeedius (263290) on Wednesday September 08, 2010 @08:29AM (#33507240) Homepage

    I think we will solve the issues of computer security about the same time we figure out how to deal with conflicts within ourselves and humanity.

    • The '60s called: they want their LSD-25 back, man.

      peace,

    • by Bert64 (520050)

      The solution is for non technical users to have simpler devices that only serve their needs and don't provide anything else.... When was the last time you heard of a games console, printer, typewriter or microwave being exploited remotely, or being used to download malware?
      Having a general purpose computer with an excessively complicated OS is just asking for trouble. Such things are simply not appropriate for the general public.

  • It can also act as a laxative, leading to anal leakage.

  • Stop using MS. The "security" side is like asking if you like your snake-oil with extra cocaine, sugar or alcohol.
    Get over the lecture, assistants in the crowd and find a tonic that works. Something based on folk remedies, homespun remedies which-by trial and error have proven to work.
    • by jimicus (737525) on Wednesday September 08, 2010 @09:00AM (#33507426)

      I'm afraid it isn't, and a bit of reading between the lines in the article would allow you to figure this out.

      The types of attack which Windows is most infamous for - true self-replicating viruses and trojans that require you to be running as a local admin for them to work - are an endangered species. Newer attacks don't self-replicate like viruses and don't necessarily require you to be running as a local admin. Indeed, you can do quite a lot on any modern OS, be it Linux, some other Unix or Windows without being admin/root. You can certainly do enough to gain access to all sorts of juicy information and then pass it on through the Internet.

      The main reason Windows is targeted by the malware authors - particularly on the desktop - is that a lot of the malware authors aren't doing it for interest, they're doing it for cash. What's the point in writing an exploit that will give access to a Linux desktop when you could write the exploit for Windows and target about fifteen times the number of potential victims?

      Let's assume a drastic drop in Windows usage. Are the world's malware authors going to shrug their collective shoulders and say "Ah well, it was nice while it lasted"? Or are they going to say "Well, there's still lots of computers out there with lots of ill-informed people using them for things like banking, even if they're not running Windows. Wonder if there's any way to exploit them?"

      • by Stumbles (602007) on Wednesday September 08, 2010 @09:37AM (#33507692)
        What's the point in writing an exploit that will give access to a Linux desktop when you could write the exploit for Windows and target about fifteen times the number of potential victims?

        That's just the same old numbers argument... when really it is way easier to compromise a Windows box than just about any other OS around. If the situation were reversed and the alternative OSes still retained their level of security I do not think you would see the same level of threats as you do with Windows. That is of course assuming the increased number of users using alternative OSes do not do stupid shit like run as root or change login users to have root level access.

        • by slyguy135 (844866)

          > That is of course assuming the increased number of users using alternative OSes do not do stupid shit like run as root or change login users to have root level access.

          Which was grandfather's point. [My ol' gramps always was a smart one].

          • by jimicus (737525)

            Erm.... actually it wasn't. In fact, I was so concerned my point would be missed I spelled it out explicitly. Maybe putting it in bold will help.

            Newer attacks don't self-replicate like viruses and don't necessarily require you to be running as a local admin. Indeed, you can do quite a lot on any modern OS, be it Linux, some other Unix or Windows without being admin/root.

            All an attacker has to do is persuade something to run arbitrary code. The obvious way that we all know and hate is to trick the user i

        • by Blakey Rat (99501)

          That's just the same old numbers argument... when really it is way easier to compromise a Windows box than just about any other OS around.

          Can you prove that? OS X seems to be the first to fall, any time there's a OS compromising competition...

          If the situation were reversed and the alternative OSes still retained their level of security I do not think you would see the same level of threats as you do with Windows.

          We'll never know, until the situation reverses itself. Until then, it's pretty damned hypothetic

      • by Bigjeff5 (1143585)

        What's the point in writing an exploit that will give access to a Linux desktop when you could write the exploit for Windows and target about fifteen times the number of potential victims?

        Hold on, since when does Linux have 6% market share? Try 30-60 times the number of potential victims if you go after Windows.

        Frankly, unless you have a grudge against Linux, you'd have to be an idiot to attack anything other than Windows. Macs are an ok second choice, but even if 80% of Windows users were well informed in computer security, there would still be more ignorant Windows users than there are total Mac users, so even that is a stupid choice. And you can be sure that 80% of users are not well i

      • by mjwx (966435)

        The types of attack which Windows is most infamous for - true self-replicating viruses and trojans that require you to be running as a local admin for them to work - are an endangered species. Newer attacks don't self-replicate like viruses and don't necessarily require you to be running as a local admin. Indeed, you can do quite a lot on any modern OS, be it Linux, some other Unix or Windows without being admin/root. You can certainly do enough to gain access to all sorts of juicy information and then pass

    • As a frequent Windows user I'll go with the extra cocaine, thanks.
    • Re: (Score:3, Insightful)

      by wshs (602011)
      Most recent attacks have been via stupid users, not buggy OS. The reason Linux hasn't been targeted is threefold: 1) next to nobody uses it, thus a waste of effort to write malware for it; 2) its users aren't retarded; 3) each distro is completely different, unlike different Windows versions.
      • As someone who has written linux applications from python scripts to QT applications to low-level socket programmer, no, there is very LITTLE difference between linux distros unless you want to use their package manager. How many windows viruses do you find listed in "Add/Remove Applications"? In fact, the networking (most complex part of any virus/trjan) is so standard accross distros, an application written for ubuntu will easily run on FreeBSD and the only part that needs to be customized is the final pa
        • by wshs (602011)
          How do you get something to run at boot on Gentoo? On Redhat? On Ubuntu? Hint: it varies widely with distro. The combination of startup scripts, configuration files, home directories, and even binaries leaves your trojan hunting for all these things. Combined with the fact different distros have different libs, means if the distro doesn't have the exact libs needed, the trojan won't run in the first place. As someone who has written primarily C for the last 12 years, I find networking to be the easiest par
  • Suck it, squirrels! You can not have them!

  • by tgd (2822) on Wednesday September 08, 2010 @08:57AM (#33507408)

    When your webserver dumps its cargo at the first sign of an Imperial Cruiser ...

  • not just security (Score:5, Interesting)

    by Tom (822) on Wednesday September 08, 2010 @09:09AM (#33507490) Homepage Journal

    It isn't just security. I supervise the IT audits in our company, and I can't list anymore how often fake procedures have been tried to pass of as actual processes. Right now, our software development managers try to tell everyone how "agile" they are - but the real work their people do has nothing to do with agile development whatsoever. I've seen so-called "change management" that wasn't worthy of even being in the same room with actual change management, and "access controls" that were essentially bullshit in paper form.

    There are usually two causes for this: Malicious people who are greedy for either power and/or money, or incompetent people who don't understand what they're doing (or managing) but are too afraid to ask for help and too stupid to find it on their own. Both kinds of people try to pass off what they're doing as the real thing and will respond to any attempts at questioning or changing it with hostility. In fact, that hostility is a pretty good indicator of both snake oil and incompetence.

    • Yup, its amazing how 'buzz words' for all the important business processes, work flows and logic layers are meaningless, when they're not taken seriously.

    • Re:not just security (Score:5, Interesting)

      by Garwulf (708651) on Wednesday September 08, 2010 @10:37AM (#33508240) Homepage

      I can vouch for that...

      I used to work in the public sector. A few months before I left to return to school, we changed computer consultants to a new guy, and to this day I swear he was deliberately creating problems so he could bill us for solving them.

      It started off with a computer audit. Now, I'm not a professional computer consultant, but I've been around computers pretty much my entire life, and my father used to be a consultant. My idea of an audit is to generate a list of what programs are running, what anti-virus programs are in place, what firewall is in place, what processes are running, etc. So, when I found out that my computer was about to be audited, I was prepared to be away from it for half an hour to an hour.

      Instead, he checked the Windows version, and moved on.

      Now, to understand this story, one of the things you have to understand is that I was an unofficial IT guy in the office. And, I had taken a couple of steps for basic security (this was back around 2003), such as moving everybody away from Outlook Express and onto Netscape mail. It was a small Windows 2000 network in a small office, and so long as it was kept behind a hardware firewall and nobody did anything terribly stupid, it was fine aside from the occasional software glitch.

      The first recommendation that he put in, and management enforced, was to take everybody off Netscape and put them back onto Outlook Express. Massive infection of the entire network followed. Then, as I was the guy who started complaining that something was wrong here, he tried to blame me for hacking the system.

      Now, this wasn't the main reason I left to go back to school (one of the problems with working in social services is that it can be very soul destroying work, and I had reached the point where I just couldn't continue any further), but it definitely gave me a good dose of snake oil before I left...

  • It's also a long term cost center. But more interestingly, even the most worthless security tools can be proven to "work" if you look at the numbers.'"

  • by Anonymous Coward

    Security is a process, not a product.

    Every time, I mean *every damn time*, someone tells you only to buy this or that product to get more security, he/she is fooling you. Security is a process that needs knowledgeable people with the right tools and the right amount of time available, not just colorful boxes sold by well dressed salesmen. Unfortunately most execs still can't grasp that simple concept.

    • The only truly effective security product is a pair of wire clippers, applied generously.

    • by nospam007 (722110) *

      I had a client who bought a sticker with an angel on it, which had to be placed on the computer to protect it from all viruses, ever!
      And it did cost only a couple of hundred bucks.

  • by quetwo (1203948) on Wednesday September 08, 2010 @10:06AM (#33507968) Homepage

    Ever since we installed the Springfield Bear Protection System, there haven't been any bears in our neighborhood! It works great!

    • by PitaBred (632671)

      Yeah? That's great. I've got some rocks that repel tigers if you're interested. Letting them go for well below cost.

  • I was just thinking the other day [ozzu.com] about how antivirus software has been the number one download at Download.com for years. I would think that if the woftware works, the download counts would go down.
  • I whole agree with the article in it's entirety. As a former CSO and retired military, most organizations don't take us seriously until you point out a few social engineering hack attempts. How I implemented security wasn't snake oil, as it was the design of the entire team IT. Our honey-pots were a great tool for finding out what hackers are after, but the 'paid' crackers are we were most scared of - not companies selling us fake products. It's up to IT staff to effectively evaluate any product or servi

A holding company is a thing where you hand an accomplice the goods while the policeman searches you.

Working...