I’ve decided to compile a list of all the interviews I have been taking for the
folks(two anonymous ones are excluded as perhaps they shouldn't have
been taken at the first place, and a Xmas issue without an interview)
that I have had the chance to talk to. I hope you will enjoy the
diversity of the their background and the topics covered.
------------------------
Interview with Proge, Founder of Progenic http://www.progenic.com/
Astalavista : To those who still don't know of Progenic.com, give us a brief introduction of the whole idea and its history?
Proge
: Basically it all started in back in 98, we just made software for the
fun of it and stuck it up on a webpage, mostly pretty simple stuff.It
was a fun time but as the scene grew, things got a little out of hand,
and when FakeSurf (the first automated surfing tool) was released we had
legal threats from Alladvantage, lost our sponsorship that was paying
for the bandwidth and were flooded with people wanting nothing more than
a quick buck.I think that's when everyone decided enough was enough,
and we took the site behind closed doors, I left the toplist up on
Progenic.com because it's a scene I came from and I don't want to see it
die.At the moment I'm
working on more constructive things like DownSeek.com, it's more satisfying to create something that helps people.
Astalavista
: As being on the Scene for such a long time, what is your opinion on
today's Security threats home and corporate users face every day?
Proge
: There are usually two reasons why you become a target, automated
software scanning your system for known exploits that you should have
patched, or you've made yourself a target.If someone wants to break into
your system then unless you have a dedication to security, that window
between an exploit and a patch is going to get you.Even if you stay on
top
of things, it can still be a battle. According to Microsoft 'the
only truly secure computer is the one buried in concrete, with the power
turned off and the network cable cut' and you probably run their
operating system.
Astalavista : Is Security through Education the perfect model for any organization?
Proge
: Definitely!I'm still amazed that there are programmers and sys-amins
out there, who think functionality first, security second or not at
all.You need to understand hacking to understand Security, you know the
reasons why you lock your door at night, why you set an alarm, but do
you know why you have a firewall or an intrusion detection system, or
did it just sound like a good idea when you got a glossy leaflet warning
you about 'hackers' and asking your money? You can't just install a
product and forget about Security, but that's what the industry tries to
sell.Security is a constant threat and it isn't game over until you
lose.
Astalavista : How real you think is the threat of CyberTerrorism?
Proge : With people like we have in power it gets more real.Like I said, if you make yourself a target, you've got a problem.
Astalavista : Is BigBrother really watching us, and what's the actual meaning of the word 'privacy' nowadays ?
Proge
: A good question, they're definitely watching us but to what degree,
who knows.It doesn't hurt to have a healthy paranoia. There're two sides
to the privacy argument really.Either you're worried that
government/business is overstepping the mark and intruding on your
personal life for their own benefit, or you've got something to hide.
Unfortunately privacy is being marketed at those with something to hide,
you've seen the ads, cheating on your wife? Grooming underage kids?
Erase your history, don't get caught etc.It's ironic that there are more
ethics in a scene that is largely banded a threat to Security than
there are in government and business.
Astalavista : Thanks for your time, Proge.
Proge : You're welcome!
-------------------------
Astalavista : How was the idea of TextFiles.com born?
Jason
: TEXTFILES.COM was born because one day in 1998 I wondered what had
ever happened to an old BBS I used to call (it was called Sherwood
Forest II). Since the WWW had been around for a good 5 years, I figured
out there would be a page up with information about it, and I could even
download a few of the old textfiles I used to read back in those days
(the BBS was up from about 1983 to 1985). To my shock, there was nothing
about Sherwood Forest II anywhere, and nothing about ANY of the BBSes
of my youth. So then I went off and registered the most easy-to-remember
name I could find, textfiles.com, and started putting up my old
collection from Floppies. This gave me about 3,000 files, which I used
to attract other peoples' collections and find more on my own, until the
curren number, which is well past 60,000.
Astalavista
: There's a huge amount of illegal and destructive information(bomb
howto guides, drugs howtos) spreading around the Internet these
days.Some of these files can be found at TextFiles.com as well, don't
you think that accessing such information is rather dangerous and could
endanger someone?
Jason : Well, the question
makes it sound like this is a recent event, the availability of
information that, if implemented, could cause damage or other sorts of
trouble. This has always been the case; if you want, we can go back to
the days of the TAP newsletter (and the later 2600 magazine) where all
sorts of "dangerous" information was being printed. We can go back many
years before that.
This may sound like a copout, but I don't
really buy into the concept of "dangerous information". At a fundamental
level, it is someone saying "I am looking at this, and I have decided
you should not see it. So don't look. I've made my decision." And I find
that loathesome in that it gives
someone enormous arbitrary power.
This argument applies for the concepts of Obscenity and
Governmentally-Classified information, as well.
Sometimes people
bring up the concept of children into the argument and my immediate
reaction is not very pleasant. Parents protect; be a parent.
If
somebody wants to hurt somebody else, then information files are not the
big limiting factor to them doing it; they'll just pick up a match and
set your house on fire, or buy a gun and shoot you or someone you really
like. Censorship, as you might imagine, is not big on my list of things
that improve the quality of life.
Astalavista
: Nowadays Information could be considered the most expensive "good",
what's your attitude towards the opinion that the access to certain
Information would have to be a paid one?
Information is a very
funny thing. It can be quantified to some extent, and some amount of
control can be issued on its transfer and storage. But the fact is that
we, as a race, have been spending a lot of time making information
easier and easier to spread. Printing press, book, flyer, radio,
records, tapes, CDs, DVDs, internet, Peer to Peer... faster and faster.
It is possible to know on the other side of the world what a child
looked like at the moment it was born, a mere few seconds later. When
Americans elected the president in the 1800s, they might not know who
had won for weeks. Many people might have never seen a photograph of the
man who ran
their country. They would almost certainly never hear him speak.
Charging
for information is everyone's right. More power to them if they can
make a buck. But that's not what I'm talking about. I've seen kids with a
hundred textfiles trying to sell access to them for $5. If they're able
to lure in suckers to pay that, then they have a talent. When you're in
the cinema, the same soda that cost something like fifty cents or a
quarter, at the local store it will cost you two or three dollars. Are
you paying for the soda or for the ability to have a soda in that
location? Similarly, I don't think you're paying for the information on a
site that charges, you're paying a fee because you didn't know any
other way to get this information.
There will always be a market
for people with the ability to take a large amount of information and
distill it for others (we called them "gatekeepers" when I took Mass
Communications in college). The only difference is that now anyone can
be a gatekeeper, and people can choose to forget them and get the
information themselves. So now it's an option, which is a great
situation indeed.
I've always been insistent about not charging
for access to textfiles.com and not putting advertisements up on the
site. I'm going to continue to do that as long as I can, which I expect
will be for the rest of my life.
Astalavista : Share your thoughts about the Dmitry Skylarov case.
Jason
: While this is not the first time that something like the Skylarov
fiasco has occurred, I am glad that in this particular instance, a lot
of press and a lot of attention was landed on what was being done here.
Adobe realized within a short time that they'd made a serious mistake,
and I hope they will continue to be reminded of how rotten and
self-serving they were in the whole event. I certainly hope the company
name 'Adobe' will stays in the minds of everyone with it for a long time
to come.
That said, I'm glad everything worked out OK for him.
Nobody deserves to be held up in a country away from their family
because some software publisher has decided they're evil.
America
has occasionally taken poor shortcuts through very evil laws trying to
fix problems and make them worse. The "Separate but Equal" rulings in
regard to Segregation and the indictment of anti-war protesters during
World War I for something akin to Treason now have a modern cousin the
DMCA and its equivalent laws, the Mini-DMCAs being passed by states. I
think we will look back at this time with embarassment and whitewashing
what went on.
Astalavista : How do you see the future of Internet, having in mind the Government's
invasion in the user's privacy, and on the other hand, the commercialization of the Net?
Jason
: Mankind has been driven from probably day one to make things better,
cheaper, and quicker because that's what will bring them success and
fortune. People talk about television being this vast wasteland of
uselessness, yet using something like my TiVO I can now bounce among my
thousands of daily television programs and listen to events and people
that just 10 or 20 years ago, there would be no room on television for.
For all the Internet's abutments with the law, the fact is that it's
still being adopted as fast as it can, the technology driving it is
cheaper and cheaper (I have a connection to my house that costs me $200
that would have cost upwards of $10,000 in 1993) and nobody is really
able to say "This Internet Thing Needs to Go" and not get laughed at.
It
took me years and years to collect the textfiles on textfiles.com. If
people go to torrent.textfiles.com, they can download the entire
collection in as little as a few hours. People are now trading
half-gigabyte to multi-gigabyte files like they used to trade
multi-megabyte MP3 files just a few years ago.
I really don't
have any fear about it being crushed. Too many people know the secret of
how wonderful this all is. It's a great time to be alive.
Astalavista : Thanks for the chat!
------------------------------------
Astalavista : How did you get interested in the Information Security field?
Kevin
: More by accident than design. I had been a freelance IT journalist
for many years - then we had a child that couldn't sleep. We went
through many, many months of averaging just a couple of hours sleep each
night - it played havoc with my freelancing; couldn't concentrate,
couldn't write, couldn't meet deadlines... In the end I gave up and got a
proper job. It was actually the first thing that came along, and was
marketing manager with a software company that just happened to develop
security software. But from then on I was hooked. Infosec is one of the
most fascinating areas there is: good versus bad, light versus dark -
the perpetual battlefield at an intellectual level without any blood.
Astalavista
: Share your viewpoint on the constantly increasing malware problem
issue, are we going to see another ILOVEYOU disaster in the near future?
Kevin
: I'm sure there will be more malware all the time - and sooner or
later, one of them will be dramatic and disastrous. My biggest fear for
the Internet, however, is government intervention. Governments need
control, and they fear lack of control. The weaker they are, the more
they need to control - and the world has some mighty weak people in high
office ATM. The Internet is a threat to their control. They need to
control the Internet in order to control people. Consider this: we call a
category of malware 'viruses'. We do so because they behave like
biological viruses. If we continue that analogy, then the 'system' they
attack (the Internet) equates to the human body.
Now, if a virus attacks a human, we react in several different ways. The 'traditional' method
(it
isn't traditional at all; it's very recent) is to attack the virus with
ever-stronger antibiotics, or even the surgeon's knife. But more and
more of us are coming to the conclusion that this sort of 'quick fix' is
no fix at all - all it does is weaken the immune system and encourage
the virus to grow into ever stronger variants. The real solution is to
strengthen the immune system so that the viruses are tackled and
destroyed without causing any damage.
This analogy should be
passed back to computer viruses. If governments over-react with
increasing penalties and draconian actions (the surgeon's knife), we
will weaken the Internet until it is just a pale shadow of the vibrant
organism it should be - and we still won't ever get rid of the viruses.
The real solution is to strengthen the Internet, not to emasculate it.
Astalavista : As far as ITSecurity is concerned, what are the major
threats companies and home users face on a daily basis and how can they be prevented?
Kevin
: Well, by now you won't be surprised to know that I consider
over-regulation to be the major threat for both business and home users.
We are all rapidly transferring our personas to the cyber world,
whether that is our business persona or individual persona. Once that is
complete, whoever controls the cyber world will control all of us.
Smart card ID cards will be able to track everything that everybody does
- in fact; we won't be able to do anything without the cards. And if a
domain name is withdrawn, individuals or entire companies will
effectively disappear overnight. This is a far greater threat than
another Lovebug.
Astalavista : In today's world of terror, how real do you think the danger of
Cyberterrorism is, like stock exchanges going down, corporate networks completely devastated by terrorist groups?
Kevin
: I think that the danger exists, but is over-hyped. Attack analyses
show that a large percentage of attacks against western (that is,
American) utilities and banks come from a very small number of countries
well known to be largely anti-American. I cannot believe that this is
all done without their government knowledge - so the danger is very
real. But just as there are some very clever people attacking systems,
so there are some very, very clever people defending them.
Astalavista : What's your personal opinion on the US government's effort to monitor
its citizens' Internet activities, in order to protect them from potential terrorist attacks?
Kevin
: It isn't, of course, just the US Government. I actually believe that
the UK is already further down the line on this. Governments need to
strike a balance between defending their people and enslaving their
people. A recent poll of American CSOs by CSO magazine shows
that 31% of US business leaders believe that the USA is on the way to becoming a police state.
I
think that most governments have failed to find the right balance - and
I think the UK government has already put everything in place for a
police state in the UK. I forget the precise words, but the comment that
'those who would give up freedom for security actually deserve
neither' is so very true.
------------------------
Interview with Richard Menta http://BankInfoSecurity.com/
Astalavista : Hi Richard, I would appreciate if you introduce yourself and the web site you represent, namely BankInfoSecurity.com
Rich
: My name is Richard Menta. I work for an information security
consulting firm in NJ called Icons, Inc where I serve as a consultant
and as the editor of BankInfoSecurity.com.
About 90% of the
Icons's clients are banks and credit unions. These institutions are
heavily regulated regarding information security, yet despite this fact
we found many of our clients needed much more education on the concepts
of information security and the added threats and risks presented by
technology. BankInfoSecurity.com was developed to help fill this need by
aggregating the latest news and information, covering both the
technical and regulatory aspects of InfoSec.
Astalavista
: What's the major difference between the security threats the
financial sector is dealing with, compared with the general security
ones?
Rich : Privacy is the biggest issues with
regards to financial institutions. They are mandated by the
Gramm-Leach-Bliley Act (GLBA) to protect what is called the non-public
personal information (NPPI) of their customers. The biggest security
threat comes from intruders looking to garner NPPI to facilitate
identity theft. As the relationship of financial institutions with their
customers is highly based on trust and mass identity theft undermines
that trust, it is a critical issue to control the theft of customer
information.
Astalavista : E-business wouldn't
be profitable without E-commerce, what do you think are the major
security problems E-shops face nowadays, how aware of the information
security issue are the managers behind them, and what do you think can
make a significant change in their mode of thinking?
Rich
: The biggest security issue is the lack of awareness as a whole. A
good information security strategy takes significant effort and
financial commitment, but many senior managers are unaware of the full
breadth of what information security covers. There is a lot to grasp too
as information security is an every evolving discipline that has to
rapidly change with the
changes in the threat environment.
Awareness
is still an issue in the banking industry where there is a federal
examiner coming in once a year to tell management what they need to do.
The reason is because examiners have only been focused on information
security since 2001 (when the agencies started to enforce GLBA) and they
are still learning the ins and outs. It's improving, though, as
examiners are visibly becoming savvier with time and communicating more
to the banks.
Dramatic change in other industries is a bit more
elusive as they have no such oversight as the banking industry does.
Still, the Sarbanes-Oxley Act looks to drive better information security
because a deficient security plan violates the due care requirements of
the Act. As the act imposes criminal penalties for faulty compliance,
there will be a lot more pressure once its tenets go into effect this
fall.
Astalavista : Malicious software has
always been trying to get hold of sensitive financial information, how
significant do you think is the threat from worms like the Bizex one in
future?
Rich : It is a significant problem as it
goes back to the trust issue. All banks are adopting online banking,
yet you have malicious code trying to take snapshots of your information
as well as anyone else's who are in your address book.
The FDIC
recently posted a mandate that banks must have a written patch
management program consisting of several steps. The reason the agency
did this is because they realized that poorly patched systems posed a
severe threat and most financial institutions were doing an insufficient
job with regards to patch activities. Right now, the great majority of
banks are
highly susceptible to these worms, as are their average
customers who rarely patch their home systems. Of course, even a great
patch management program only goes so far, especially with zero day
exploits.
Astalavista : Despite the latest
technology improvements and the security measures put in place by
companies, a major part of the Internet users are still afraid to use
their credit card online, who should be blamed and most importantly,
what do you think should be done to increase the number of online
customers who want to purchase a good or services but feel secure while
doing it?
Rich : Consumers are afraid for good
reasons. How many prime trafficked sites have been broken? It is
embarrassing, especially when it makes the national media. The latest
technology improvements and security measures are good, but all
merchants as a whole need to impose better security on their end. Those
who don't improve measures will continue to undermine the efforts of
those who do by perpetuating the insecurity that many patrons feel with
regards to online shopping.
Again, it's a trust issue and there
are a significant amount of consumers who don't trust typing their
credit card number into their browser. The good news is that as security
improves throughout online commerce consumer trust will rise.
Astalavista
: What's your opinion on companies citing California's security breach
disclosure law and notifying customers of a recent security breach?
Rich
: Most companies can absorb any financial losses arising from a breach.
It is the damage to their reputation that poses the greatest risk. What
is more embarrassing than notifying your customers their information
was compromised? Not only does the customer lose trust in the company,
but such a disclosure inevitably becomes public and that can hinder the
ability to draw new customers.
So why do I think this law is
good? Because there is a general apathy among many organizations
regarding their activities to properly protect their systems. Regulation
has been the greatest motivator to improve security. In this case,
forced disclosure is far more motivating than any fine.
Astalavista
: Mr.Yowler, Cyberarmy.com has been online since 1998, and is a well
known community around the net. But there're still people unaware about
it, can you please tell us something more about the main idea behind
starting the site, and what inspired you the most?
MrYowler
: Well, I didn't actually start the site; that was Pengo's doing. I
actually joined when CyberArmy had about 37,000 members, and I worked my
way up the ranks, first by completing the puzzles, and later by
participating in the community as one of its leading members. I was
first put in charge, back in 2002, and I bought the domain from Pengo,
and completely took over, in late 2003.
CyberArmy is a community
of 'hackers' of various skill levels and ethical colors. We focus
primarily upon creating a peer environment in which 'hackers' can share
information and ideas, and we accomplish that through our Zebulun puzzle
and ranked forums, which serve to stratify discussion groups be
comparative technical ability. We tend to focus on 'n00bs', largely
because they are the group that has the most difficulty finding peer
groups to become involved in, because they are the group that most often
needs the technical and ethical guidance that CyberArmy provides, and
because they are the group that is most receptive to this guidance.
I
suppose that what I find most inspiring about the CyberArmy is its
tendency to regulate itself. People who are interested in 'hacking
hotmail' tend to gravitate together, and not pester people who are not
interested in it, and when they don't, the community rapidly takes
corrective action on its own. This is a model that I would like to see
extend to the rest of the Internet; spammers and kiddie-porn dealers
should be possible to identify and remove from the networks without the
necessity to monitor *everyone's* email, through some regulatory or
enforcement organization that is largely unrepresentative of the users
that it is chartered to protect.
I like that CyberArmy gives its
members a reason to *think* about social ethics, and to decide upon what
they should be, rather than to simply accept what is established,
without reasoning. I find that to be a fundamental failing of modern
society - that we frequently simply accept law, as the determinant of
social ethics, instead of requiring law to be guided by them. When
people use *judgement*, rather than rely solely upon law, then people
are much more likely to treat one another with fairness. Externally
imposed rules are for people who lack the judgement skills to figure out
how best to behave, without them. And most rules, today, are externally
imposed. I believe that when people *think* about social ethics, it
usually results in a moral fiber that is founded in an honest *belief*
in the moral behavior that they come up with - and that this makes for
infinitely better Internet citizens, than rules or laws that are
supported only by a deterrent fear of reprisals. I think that such
people usually come up with better behavior than the minimum standards
that rules and law do, as well.
Astalavista :
Cyberarmy runs a challenge - Zebulun, which happens to be a very popular
one. How many people have already passed the challenge, and what are
you trying to achieve with it besides motivating their brain cells?
MrYowler
: About 200,000 people have participated in the Zebulun challenge, over
the years, to one extent or another. Because the challenges are
changed, over time (to discourage 'cheating', and to keep them
challenging, during changing times), the definition of "passed the
challenge" is somewhat variable. Approximately 300-400 people have
completed all of the challenges that were available to them, to obtain
the highest possible rank that one can reach, by solving the puzzles.
That has traditionally been "Kernel" (the misspelling is an intentional
pun) or "General", and it is presently "Kernel". At the moment, the
Kernel puzzle seems to be too advanced, and will probably have to be
changed. There are seven puzzles, and our intended target is that there
should always be about a 2:1 ratio of players, from one rank to the
next. This guarantees that the puzzles will be challenging to most
players, without being discouraging.
Of course, we like
encouraging people to learn. More importantly, I'm trying to get people
to *think*. Anyone can become educated about technical systems; this
only requires time and dedication to the task. And while that is an
important think to do, it is already heavily stressed in schools, and
throughout most societies and cultures. Smart people know a lot of
things.
But this is not entirely true. Most smart people have
come to realize that "knowledge is power" - but it is not the knowledge
that makes them smart. As with static electricity, which is expressed
only as voltage potential - until it strikes the ground as lightning -
knowledge is not expressed as power, until someone *thinks*, and applies
that knowledge to some useful purpose. Socrates was effectively an
illiterate shoe-salesman (a cobbler), but he is considered a great
philospher, because he took the little bit that he knew about the world,
and *thought* about it. Not only that, but he convinced other to think
about it, as well. Einstein was a mediocre mathematician and generally
viewed as a quack, until his thinking was expressed in the form of
nuclear energy. *Thought* is what separates the well-educated from the
brilliant - and most successful 'hackers' rely much more upon *thought*,
than upon an exhaustive understanding of the systems that they target.
Not that having such knowledge isn't helpful... :)
I am trying to
get people to *think* - not only about intrusion tactics, but also
about defensive measures, motivations, risks, ethics, and about life in
general. Too much of the world around us is taken for granted, and not
questioned. Not thought about. I am trying to make the art of
questioning and *thinking*, into a larger part of people's lifestyles.
Astalavista
: How did the infosec industry evolved based on your observations since
1998? Is it getting worse? What are the main reasons behind it? Crappy
software or the end users' lack of awareness?
MrYowler
: In its early years, the infosec industry was largely dominated by the
mavericks - as is true with most developing industries. A few people
dominated the profession, with their independence - it gave them the
freedom to tell the business world how things should be, and to walk
away, if the business world was unwilling to comply. Today, we see less
of that, and
while the industry is still largely dominated by such
people, the majority of people whose job is to implement system
security, are much more constrained by resource limitations.
Essentially,
there are two groups of people in the defensive side of this industry;
the policy-makers and the implementors. Policy-makers are usually
corporate executives, CISOs, legislators, consultants, or otherwise
figures of comparative authority, whose job it is to find out what is
wrong with system security, and to come up with ideas about how to fix
it. Implementors are usually the ones who are tasked with implementing
these ideas, and they are usually system or network administrators,
programmers, security guards, or otherwise people whose influence on
things such as budget and staff allocation, is insignificant. As a rule,
the policy-makers make a great deal of money, establishing policies
that they have very little part in implementing, and often these
policies have a significant impact upon the work loads and environments
of implementors.
It is all well and good, for example, to decide
that there will be no more use of instant messenger software in the
workplace. Stopping it from occurring, however... while remotely
possible, by employing purely technical measures, it is certainly not
desireable or inexpensive. Even monitoring for it can require staff
resources which are rarely allocated for the task, and the effect of
draconian security measures - or penalties for non-compliance - is
usually much more damaging to workplace productivity than the instant
messengers ever were. For some reason, policy-makers have abandoned the
basic principle of system design; "involve the user" - and
have
limited themselves to requiring the support of executive management.
Security policy is surprisingly cheaper, faster, and easier to achieve
compliance with, when is also has the support of the rank-and-file
members of an organization - and not the kind of support that is
achieved putting a professional gun to their heads, by requiring people
to sign compliance agreements. Rather, the support that is achieved by
giving the employees a sense of personal investment in the security of
the system. User awareness is fairly easy to achieve, although users
will tend to disclaim it, when caught in a violation or compromise.
Creating accountability documents, such as security policy compliance
agreements, may combat these disclaimers; but the most truly effective
approach is not to just tell the users and demand compliance - but to
give the users a voice in it, and the desire to strive for it. In many
cases, the users have excellent ideas about areas where system security
falls down - and similarly excellent ideas about how to fix it.
Policy-makers
have to bridge the gap between themselves and implementors, or security
will always be 'that pain-in-the-ass policy' which people are trying to
find ways to work around. And instead of the draconian Hand of God,
which appears only so that it can smite you down; security needs to
become the supportive freind that you can always pick up the phone and
talk
to, when you have a question or a problem.
That having been said, there is another problem with modern security practices, that is worth giving some attention to...
Because
security has traditionally been sold to organizations, as a way to
prevent losses that result from security compromises, these
organizations have begun to assign values to these compromises, and
these values determine the extent to which these organizations will go,
to prevent them. While perfectly reasonable and sensible from a business
perspective, these values are determined largely by educated guessing,
and the value of a compromise can be highly subjective, depending upon
who is making the assessment.
Remember - if your credit
information gets into the hands of someone who uses it to print checks
with your name on them, you could spend years trying to straighten out
your credit with the merchants who accept these checks. It can impact
your mortgage interest rates, or prevent you from getting a mortgage, at
all - and it can force you to carry cash, in amounts that may
place
you in considerable personal danger. The organization which pulls a
credit report on you, to obtain this information, however, stands very
little to lose from its compromise, since you are unlikely to ever
determine, much less be able to prove, that they were the source of the
compromise.
So, what motivates them to guarantee that all credit report information
is properly protected, destroyed and disposed of? What's to stop them
from simply throwing it in the garbage? And what happens to it, if they
go out of business, or are bought out by some other company? To what
extent do they verify that their employees are trustworthy?
*This*
is typically where security falls down. Remember; security is the art
of protecting *yourself* from harm - not necessarily your customers,
your marketing prospects, or anyone else. As a result, most of the
effort to secure systems, goes into protecting the interests of the
people who *operate* those systems - and not necessarily the users of
them, or the data
points that they contain information about. In many
cases, legal disclaimers and transfers of liability replace actual
protective countermeasures, when it comes to protecting things that
*you* care about - and in still other cases, a lack accountability
suffices to make an
organization willing to take a chance with your
security, out of a commercial interest in doing so. Marketing entities
often openly sell your information, or sell the use of your information
to market things to you, and make no bones about doing so - after all,
it's not their loss, if your
information gets misused - it's yours.
This
is a fundamental problem in information security, and for many of us it
costs our personal freedom. The government needs access to all of our
emails, without the requirement to notify us or get a warrant to access
the information, because we might be drug dealers or child molestors.
And I worry that some child molestor will gain access to the
information, through
the channels that are made available to
government. Amazon.com stores our credit information, in order to make
is easier for us to buy books through them, in the future - and I worry
that all someone needs is the password to my Amazon.com account, to
start ordering books on my credit card. Every time that I fill out an
application for employment, I am giving some filing
clerk access to
all the information required, to assume my identity. That information is
worth a great deal, to me - how much is it worth, to them? Enough to
pay for a locking cabinet, to put it into? Enough to put it into a
locked office? Enough to alarm the door? Enough the get a guard to
protect the facility in which it is stored? Enough to arm the guard?
Enough to adequately shred and destroy the information, when they
dispose of it? Enough to conduct criminal background investigations on
anyone that has access to the information? Or do they just get some
general corporate liability insurance, and figure that it's an
unlikely-enough circumstance,
that even if it happens, and I'm able
to trace it back to them, and make it stick, in court, that it's worth
the risk of a nuisance libility lawsuit?
At its core, information
security is failing, for at least these two reasons: 1) for all the
talk that goes on, very little on the way of actual resources are
devoted to information security; and, 2) people and organizations
usually show comparatively little interest in anyone's security but
their own.
Astalavista : Mr.Yowler, lately we've seen an enormous flood of worms in the wild,
what do you think is the reason?
MrYowler : Firstly, these worms exploit errors in upper-layer protocols of networks and
network
applications. Because network applications are proliferating at an
ever-increasing rate, the possible ways to exploit them are also
increasing at this geometric rate - and people who are interested in
exploiting them, therefore have more things to work with.
Secondly,
there is a glut of information technology talent in the United States,
perhaps thanks, in part to the collapse of the Internet economy - and
also, in part, thanks to the rush to outsource technology jobs to
overseas entities. Additionally, third-world countries have been
developing
technical talent for some years, now, in an effort to
become competitive in this rapidly-growing outsourcing market. This has
created an evironment where technical talent is plentiful and cheap -
and often disenfranchised.
In some cases, these worms are written
by kids, with nothing better to do - and that has always been a
problem, which has grown in a linear way, as more and more advanced
technical education has begun to become available to younger and younger
students.
In other cases, this is the technical equivalent of
"going postal", in which a disenfranchised technology worker creates a
malicious product, either as a form of vengance, of in the hope of
creating a need for his own technical talents, as a researcher of
considerable talent, with regard to the worm in question. Surprisingly
many people who might otherwise never find work in
the technical or
security industries, are able to do so, by making a name for themselves
through criminal activity or other malicious behavior. While
demonstrating questionable ethics, it also demonstrates technical
talent, and the noteriety is sometimes more valuable to a company, than
the damage that they risk by hiring someone whose ethics are
questionable. Many people
are employed or sponsored in the lecture
circuit, for this reason; they did something that bought them noteriety -
good or bad - and their employer/s figure that they can benefit from
the noteriety, without risking a lot of possible damage, by putting
these people on the lecture circuit.
In an increasing number of
cases, these disenfranchised technology workers are actually employed
for the specific purpose of creating malware, by spyware, adware, and
spam organizations, as I will cover in the next question. When one is
forced to choose between one's ethics and feeding one's children, ethics
are generally viewed as a luxury that one can no
longer afford. I,
myself, am currently under contract to a spammer, since I am now
approximately two weeks from homelessness, and better offers have not
been forthcoming. I'm writing an application which will disguise a
process which sends out spam, as something benign, in the process
listing, on what are presumably compromised *nix hosts. The work will
buy me approximately one more week of living indoors, which is really
not enough to justify the
evil of it, but I am in no position to
refuse work, regardless of the employer. And indeed, if I did not accept
the contract, and cheaply, then it is quite likely that someone from a
third-world country would have done so - and probably much more cheaply
than I did.
Astalavista : Recently, spammers and spyware creators started using 0-day browser
bugs,
in order to disseminate themselves in ways we didn't consider serious
several months ago. Did they get smarter and finally realize the
advantages or a 0-day exploit, compared to those of an outdated and
poisoned e-mail databse?
MrYowler : As indicated
in the previous question, spam, spyware and adware organizations are
beginning to leverage the fact that there is now a glut of technical
talent available on the world market, and some of it can be had, very
cheaply. These organizations have been taking advantage of technical
staff that could not find better work for a long time. As more people
who
possess these talents, find themselves unable to sustain a living
in the professional world; they are increasingly likely to turn to the
growing professional underground.
Employment in the security
industry is no longer premised on talent, ability, education, skill, or
professional credentials, and there are essentially three markets that
are increasingly reachable, for the malware professional world. 1)
Third-world nations with strong technical educational programs are
simply screaming for more of this sort of comparatively lucrative work
to do. 2) Young people who lack the age or credentials to get picked up
professionally, by the more respectable organizations, often crave the
opportunity to put 'hacking' skills, developed in earlier years, to
professional use. 3) Older technology workers, finding it difficult to
find work in a market dominated by under-30-year-old people, often have
large mortgages to pay, and children to put through college, and are
willing to take whatever work they can find - if not to solve their
financial problems, then perhaps to tide them over until a better
solution presents itself.
It's not so much that spam, spyware,
and adware marketers have become smarter, as it is that greater
technical talent has become available to them. The same people who used
to develop and use blacklists, and filter spam based upon header
information for ISPs that have since gone bankrupt or been bought out,
are now writing worms that mine email client databases, to
extract
names and addresses, and then use this, combined with email client
configuration information, to send spam out from the user's host that
the addresses were mined from. They are using the user's own name and
email address, to spoof the sender - even using the SMTP server provided
to the victim, by their ISP, to deliver the mail. This effectively
permits them to
relay through servers that are not open relays, and
distributing the traffic widely enough to stay under the spam-filtering
radar of the sending ISPs, and to evade the blacklisting employed by the
recieving ISPs. It also permits them to leverage the victim's
relationship to the recipients of the spam, in order to get them to open
and read it - and sometimes, to get them to open attachments, or
otherwise infect themselves with the worm that was used to reach them.
The spammers have not previously been able to hire talent of this grade,
very often - now, this talent is often not only available, but often
desperate for cash, and therefore willing to work cheap.
It's a
bit like an arms race. In the rush to develop enough technical talent to
defend against this sort of thing, we have developed an over-abundance
of talent in the area - and that talent is now being hired to work
against us. This will presumably force people to work even harder at
developing coutnermeasures, and repeat the cycle. Assuming, of course,
that the threat is taken seriously enough by the public, to keep the
arms race going. After all - once everybody has enough nuclear weapons
to destroy all the life on Earth, then there isn't much point in
striving to build more. You just have to learn to deal with the constant
threat of extinction, and try
not to take it too seriously - since
there isn't really anything to be done about it, any more. We seem to be
rapidly approaching this mentality, with regard to malware.
Astalavista
: What is your opinion on ISPs that upgrade their customers' Internet
connections for free, while not providing them with enhanced security
measures in place? To put it in another way, what do you think is going
to happen when there're more and more novice ADSL users around the
globe, who don't have a clue about what is actually going on?
MrYowler : This comes back around to the second point, with regard to the problems of
information security, today. People have little interest in anyone's security but their own.
The
ISPs *could* block all outgoing traffic on port 25, unless it is
destined for the ISPs SMTP servers - and then rate-limit delivery of
email from each user, based upon login (or in the case of
unauthenticated broadband, by IP address). This is a measure that would
have effectively
prevented both the desktop server and open relay
tactics that I described in my paper, "Bulk Email Transmission Tactics",
about four years ago, and it would severely constrain the flow of spam
from zombie hosts in these user networks. The problem is that they don't
care. They only care when the spam is *incoming*, and then they can
point fingers about how uncaring someone else is. The same holds true
for individual users.
It is neither difficult nor expensive to
implement a simple broadband router, to block most incoming traffic
which would be likely to infect user hardware with malware. It is also
not difficult or expensive to implement auto-updating virus protection,
spyware/adware detection/removal, and software patching. It could be
done even more cheaply, if ISPs were to
aggregate the costs, for all
of their users, and buy service contracts for this kind of protection,
in bulk, for their users, and pass the cost along as part of the
'upgraded' service. Unfortunately, the nominal cost of doing so, would
have to be borne by users who do not take the threat seriously, and who
only care about the threat, when it has a noticeable impact on them.
Since many of the malware packages are designed *not* to have a
noticeable impact on the user - using them essentially as a reflection,
relay, or low-rate DDoS platform, or quietly extracting data from their
systems which will be abused in ways not directly traceable to their
computer - these users to not perceive the threat to be real, and are
therefore unwilling to invest - even nominally - in protecting
themselves from it. ISPs are not willing to absorb these costs, and they
are not willing to risk becoming uncompetitive, by passing costs on to
their subscribers; so they pay lip service to questions of security and
antispam service, and perform only the most minimal tasks, to support
their marketing claims.
As with most organizations, the security
of the organization itself, lies at the focus of their security
policies. The security of subscribers, other network providers, or other
Internet users in general, is something that they go to some trouble to
create the perception that they care about, but when the time comes to
put their money where their mouths are, it's just not happening.
Astalavista : Thanks for your time.
MrYowler : Any time... :-P
----------------------------
Dancho
: Hi Prozac, Astalavista.com - the underground has been one of the most
popular and well known hacking/security/cracks related web site in the
world since 1997. How did it all start? What was the idea behind it?
Prozac :
Basically, it was me and a college friend that started Astalavista.com
during our student years. The name of the site came from the movie
Terminator 2 from Schwarzenegger's line " Hasta la vista Baby"! Back in
those days there weren't many qualified security related web sites, and
we spotted a good opportunity to develop something unique, which quickly
turned into one of the most popular hacking/security sites around the
globe. In the beginning, it was just our Underground Search List, the
most comprehensive and up-to-date search list of underground and
security related web sites, based on what we define as a quality site.
Then we started providing direct search opportunities and started
developing the rest of the site. Many people think we did some serious
brainstorming before starting Astalavista, well, we did, but we hadn't
expected it to become such a popular and well known site, which is the
perfect moment to say thanks to all of you who made us as popular as
we're today.
Dancho : Astalavista.com always
provides up to date, sometimes "underground" documents/programs. The
Security Directory is growing daily as well, and it has been like this
for the past several years. How do you manage to keep such an archive
always online, and up to date?
Prozac :
Astalavista's team members are aware of what's "hot" and what's
interesting for our visitors, just because we pay an enormous attention
to their requests for security knowledge, and try to maintain a certain
standard, only quality files. While we add files every day, a large
number of those are submitted by our visitors themselves, who find their
programs and papers highly valued at our site, as we give them the
opportunity to see how many people have downloaded their stuff.
Dancho : Astalavista occupies people's minds as the underground search engine. But what is Astalavista.com all about?
Prozac
: The majority of people still think Astalavista.com is a Crack web
site, which is NOT true at all. Astalavista.com is about spreading
secutity knowledge, about providing professionals with what they're
looking for, about educating the average Internet user on various
security issues; basically we try to create a very well segmented portal
where everyone will be able to find his/her place. We realize the fact
that we're visited by novice, advanced and highly advanced users, even
government bodies; that's why we try to satisfy everyone with the files
and resources we have and help everyone find precious information at
astalavista.com. Although we sometimes list public files, the exposure
they get through our site is always impressing for the author, while on
the other hand, some of the files that are listed at Astalavista.com
sometimes appear for the first time at our site. We try not to emphasize
on the number of files, but on their quality and uniqueness.
Dancho
: Everyone knows Astalavista, and sooner or later everyone visits the
site. How did the image of Asta become so well-known around the world?
Prozac
: Indeed, we are getting more and more visitors every month, even from
countries we didn't expect. What we think is important is the quality of
the site, the lack of porn, the pure knowledge provided in the most
professional and useful way, the free nature of the site, created "for
the people", instead of getting it as commercial as possible. Yes, we
work with a large number of advertisers, however, we believe to have
come to a model where everyone's happy, advertisers for getting what
they're paying for, and users for not being attacked by adware or
spyware or a large number of banners.
Dancho : A question everyone's asking all the time - is Astalavista.com illegal?
Prozac
: No! And this is an endless debate which can be compared to the Full
Disclosure one. We live in the 21st century, a single file can be made
public in a matter of seconds, then it's up to the whole world to decide
what to do with the information inside. We're often blamed because
we're too popular and the files get too much exposure. We're often
blamed for serving these files to script-kiddies etc. Following these
thoughts, I think we might also ask, is Google illegal, or is Google's
cache illegal?! Yes, we might publish certain files, but we'll never
publish "The Complete Novice Users on HOWTO ShutDown the Internet using
20 lines VB code". And no, we don't host any cracks or warez files, and
will never do.
Dancho : Such a popular secutity
site should establish a level of social responsibility - given the fact
how popular it is among the world, are you aware of this fact, or
basically it's just your mission that guides you?
Prozac
: We're aware of this fact, and we keep it in mind when appoving or
adding new content to the site. We also realize that we still get a
large number of "first time visitors", some of them highly unaware of
what the security world is all about; and we try to educate them as
well. And no, we're not tempted by "advertising agencies" eager to place
adware/spyware at the site, or
users submitting backdoored files, and we have a strict policy on how to deal with those - "you're not welcome at the site"!
Dancho
: We saw a completely new and "too professional to be true"
Astalavista.com since the beginning of 2004 - what made you renovate the
whole site, and its mission to a certain extend?
Prozac
: It was time to change our mission in order to keep ourselves alive,
and most importantly, increase the number and quality of our visitors,
and we did so by finding several more people joining the Astalavista.com
team, closely working together to improve and popularize the site. We
no longer want to be defined as script kiddies paradise, but as a
respected security portal with its own viewpoint in the security world.
Dancho : What should we expect from Astalavista.com in the near future?
Prozac
: To put it in two words - changes and improvements. We seek quality
and innovation, and have in mind that these developed by us, have an
impact on a large number of people - you, our visitors. Namely because
of you we're devoted to continue to develop the site, and increase the
number of services offered for free, while on the other hand provide
those having some
sort of purchasing power and trusting us with more quality services and products.
Dancho : Thanks for the chat!
Prozac : You're more than welcome :)
---------------------------------------
Interview with Candid Wuest, http://www.trojan.ch/
Astalavista : Candid, would you, please, introduce yourself to our readers and tell us more about your background in the security industry?
Candid
: Well, my name is Candid and I have been working in the computer
security field for several years now, performing different duties for
different companies. For example, IBM Security Research and Symantec to
name the most known ones. I got a master degree in computer science but,
in my opinion, in this business curiosity is the main thing that
matters.
Astalavista : What do you think has had
a major impact on the popularity of malware in recent years? Is it the
easiness of coding a worm/trojan or the fact that the authors don't get
caught?
Candid : Why do people code worms? Because they can?
The
first point I would like to mention here is the growth of the Internet
as a whole in the last years. More people getting a system and more
people getting broadband access means more people are exposed to the
risks. You may say the fish tank has grown over the years; therefore it
is clear that there is now also more space for sharks in it.
I
think the few people which where caught have scared some and stopped
them from doing the same, but the media hype they have caused has for
sure attracted new ones to get started with the whole idea. So this
might balance out even and these were mostly smaller fishes, which
didn’t take enough precautions.
Another point to mention is that
it is really easy to download a source code and create your own malware
and it is getting easier every day. There are many bulletin boards out
there with fast growing communities helping each other in developing new
methods for malware or simply sharing their newest creations.
When
recalling the last hundreds of worms we saw in the wild for the last
time, most of them were similar and much alike. Nearly no direct
destructive payload and not much innovation in regards to the used
methods. Just a mass mailer here or an IRC bot there.
That’s why I
think the motivation is a mixture of the easiness of doing so and the
mental kick suggested from the media, which pushes the bad underground
hacker image. (Even though the media uses the term hacker seldom
correctly in its original meaning.) This seems to motivate many to code
malware: just because they can.
In the future money might become a new motivation for malware writers, when industrial parties get involved in it.
Astalavista
: Where's the gap between worms in the wild and the large number of
infected computers? Who has more responsiblity, the system
administrators capable of stopping the threat at the server level, or
the large number of people who don't know how to protect themsvels
properly?
Candid : As we all should know 100%
security will never be reached, regardless of what the sysadmin and the
end user do. A good example for this is the recent issue with the JPEG
and TIFF malware, which sneaked through many filters.
In my
opinion the sysadmins have the easier task, as they can enforce their
restriction; often it’s just a question of having the time to do it
properly. Don’t get me wrong here. I know the whole patching issue may
be quite a pain sometimes. Of course, they have all the users and the
management complaining if the restrictions are (too) tight but that’s how it works, right :- )
Therefore
I think often it is the end user who has not enough protection or
simply does not care enough about it. Many users still think that no one
will aim at them, as they are not an interesting target, but DDoS
attacks for example do exactly target such a user. Of course, many end
users don’t have the possibilities of a sysadmin. In general, it comes
down to an AntiVirus and a personal firewall application, which still
leaves enough space for intruders to slip through.
So, as always, it should be a combination of an ISP, a sysadmin and an end user working together to protect themselves.
Astalavista
: We've recently seen a DDoS mafia, something that is happening even
now. What is the most appropriate solution to fight these? Do you think
this concept is going to evolve in time?
Candid :
DDoS attacks are quite hard to counter if they are performed in a
clever way. I have seen concepts for which I haven’t seen a working
solution yet. Some can be countered by load balancing and traffic
shaping or by simply changing the IP address if it was hard coded. More
promising would be if you could prevent the DDoS nets from being
created, but this goes back to question number three.
Astalavista : Have you seen malware used for e-spionage, and do you think it's the next trend in the field?
Candid
: This is nothing new; malware has been used for industrial e-spionage
for years. Usually, it just isn't that well known as those attacks might
never get noticed or admitted in public. I have seen plenty of such
attacks over the last years. This for sure will increase in time as more
business relevant data gets stored in vulnerable environments. In some
sort you could even call phishing an art of espionage. But I think the
next big increase will be in the adware & spyware filed where
malware authors will start getting hired to write those applications as
it already happens today. Or are you sure that your favourite application is not sending an encoded DNS request back somewhere?
----------------------------------------
Interview with Anthony Aykut,Frame4 Security Systems http://www.frame4.com/
Astalavista
: Anthony, would you please tell us something more about your
experience in the InfoSec industry, and what is Frame4 Security Systems
all about?
Anthony : Sure. I guess I am what you
would primarily call a "security enthusiast", with what I came to see
as "a keen sense of security business enthusiasm". Actively following
the Trojan/Virus community since my teens in the late-1980's, I have
been working in the IT industry since the early 90's, though up until
2002 I have never felt the need to follow the IT security path. Let's
just say that a certain chain of events made me "fall" into it :-)) ...
and that is when I decided to start Frame4 Security Systems.
Frame4
Security Systems is a small IT-Security company based in the
Netherlands. We offer the usual "out-of-the-box" professional security
services (security audits, pen-testing, etc.), but we especially pride
ourselves on our outstanding security awareness programs (seminars and
courses),
exceptional service, and our upcoming "ProjectX Security
Knowledgebase". I really feel that we are on an unique playing-field
with Frame4; whereas big (and often expensive) consultancies are
primarily focused on big companies/contracts, bottom line figures and
dead-lines - often the Security Awareness on a personal (employee) level
gets often overlooked. This creates a well-known security gap that gets
exploited more and more often, rendering the million-dollar security
solution back in the server-room absolutely useless. I have personally
seen good examples of this within big companies -- and it is therefore
we let the big boys do what they are good at by providing solid, proven
solutions, whereas we have the unique opportunity of "fighting the
disease from inside-out".
Astalavista : "Internet privacy", do these words still exist in your opinion?
Anthony
: To a large extent (and unfortunately), no. But I guess this was to be
expected with millions of people pumping their personal data into
online databases and keeping information on their PCs. It is an open
field, with little or no control or control structure. Let's face it,
(personal) information and data is big business, and people will do
absolutely anything from hacking databases to infecting people with
spyware/trojans to extract that information. And in some cases,
custodians of personal information have just made it way too easy for
other (unauthorised) people to gain access to private data. I guess
that's when the finger-pointing started :-)
But on a more serious
note, I have friends who are so paranoid that they only surf the net
behind a wall of proxies and anonymizers, under false/assumed names and
identities. Me, I am just careful; I think when people have a basic
online awareness level, and know what to look out for, it is no more a
threat to your information than, say, putting your garbage outside and
someone going through it (a.k.a. dumpster diving).
Astalavista
: We have recently seen a large number of DDoS extortion schemes,
whereas certain companies comply behind the curtains, should we consider
every E-business site that goes down a victim of extortion schemes?
What do you think a company should do in a situation like this?
Anthony
: I personally think that "head-in-the-sand" ostrich attitude is
completely wrong; pay once to one extortionist, and a dozen others will
line up to grab that easy cash. I don't think you should comply and give
in to any of these demands (I prefer to call them threats) but come out
with it in the open and track down the perpetrators if possible.
Openness, like some companies have chosen, may possibly dent your
corporate identity on a temporary basis, but also takes away the power
of the extortionist. We have seen that this approach is the lesser of
two evils in general, especially true if your business does not depend
on a internet presence per se.
Astalavista : In
today's world of "yet another worm in the wild", what do you think are
the main consequences for this cycle, and what do you think should be
done in order to prevent it?
Anthony : Well, I
am pretty clear on that. As long as publicly/privately available
source-code floats around the web, not much can be done - unless the AV
vendors come up with better technologies. It really is up to them to
come up with better and improved techniques to protect our systems -
more and more the current AV technology is showing that it is getting
out-dated by being circumvented in many ways. I am more than aware that
it is difficult to "protect against the unknown", but I just know there
should be more. Maybe AV vendors should float a bit more within the
"community" to gain awareness
:-)
To be honest, with the
advent of other malware, such as Trojans, Sniffers, Keyloggers and
Spyware to name a few and many interesting technologies such as
Firewall-Bypassing, etc. it is getting more and more obvious that we
need an "All Comprehensive Malware Solution" than just a pattern based
AV system. It just ain't cutting it anymore. Until then, keep up your
defences and update those virus patterns on a daily basis!
Astalavista
: The threat and actual infections with spyware opened up an entire
market for anti-spyware related services and products, whereas millions
of people out there are still infected, and some are even unaware of it.
What is your opinion on the recent government regulations targeting
spyware vendors, but allowing "spy agencies" to use spyware? What do you
think is going to happen on the spyware scene in the next couple of
years?
Anthony : Well, as I pointed out in your
previous question, I tend to see Spyware almost in the same category as
Trojans, Viruses and other malware. Subsequently I think things are
going to get (much) worse before they (I hope, eventually) get better,
and it is going to take some considerable changes in AV technology for
one (along with our ways of thinking) to ensure people will not take
advantage of these technologies to the disadvantage of others.
Currently
things are not looking too good: governments have proven that we cannot
trust their ineffective and inevitably slow schemes and until
better/additional technologies are invented to bolster our AV defences,
we are pretty much sitting duck targets. This has been proven yet again
with the recent "hijacking" of 1000's of zombie/drone PCs to perform
DDoS attacks, etc. So it is really up to the individuals to get at least
some basic security measures up and running, and there are plenty of
reputable web-sites out there to provide all the information one needs
to secure themselves well.
Astalavista : Thanks for your time.
Anthony : No problem!
-------------------------
Interview with Dave Wreski, http://www.linuxsecurity.com/
Astalavista : Dave, tell us something more about your background in the InfoSec industry and what is LinuxSecurity.com all about?
Dave
: I have been a long-time Linux enthusiast, using it before version
v1.0 on my 386DX40 home PC, which prompted me to dump Windows shortly
thereafter and I've never looked back.
In early 1993 I began to
realize the tremendous value that Linux could bring to the security
issues I was facing. I found the decisions I was making, with regard to
managing computer systems, were more and more based on the impact
security had on the data residing on those systems. It's certainly more
challenging to keep the bad guys out than it is the other way round -
the bad guys have to only be right once, while the good guys have to
always make the right decisions. So I created a company to help ensure
the good guys had the tools necessary to make the most effective options
to keep their networks secure.
The void in comprehensive
information on security in the Linux space was the primary reason I
started LinuxSecurity.com in 1996. Since then, we have seen millions of
visitors make it their primary information resource. In fact, we're
completely revamping the site with new features, greater functionality
and a whole new look -launching December 1st.
Astalavista : What was the most important trend in the open-source security scene during the last couple of years,in your opinion?
Dave
: Actually, there have been so many that it's difficult to focus on any
one in particular. Certainly, the adoption of open standards by many
vendors and organizations makes it much easier to communicate between
disparate systems securely. The maturity of the OpenSSH/OpenSSL
projects, IPsec, and even packet filtering has enabled companies,
including Guardian Digital, to create solutions to Internet security
issues equal to, or better than, their proprietary counterparts.
Astalavista
: The monopolism of Microsoft in terms of owning more than 95% of the
desktops in the world has resulted in a lot of debates on how insecure
the whole Internet is because of their insecure software. Whereas my
personal opinion is that if Red Had had 95% of the desktop market, the
effect would be the same. Do you think their software is indeed
insecure, or it happens to be the one most targeted by hackers?
Dave
: I think the mass-market Linux vendors try to develop a product that's
going to provide the largest numbers of features, while sacraficing
security in the process. They have to appeal to the lowest common
denominator, and if that means delivering a particular service that is
requested by their customers, then much of the responsibility of
security falls on the consumer, who may or may not be aware of the
implications of not maintaining a secure system, and in all likelihood,
do not possess the ability to manage the security of their system.
Astalavista
: The appearance of Gmail and Google Desktop had a great impact on the
privacy concerns of everyone, however these expanditures by Google
happened to be very successful. Do you think there's really a privacy
concern about Google, their services and privacy policy, and, most
importantly, the future of the company?
Dave :
No, not really. I actually think that most of us gave up our privacy
years ago, and any privacy that remains is only in perception. There's
far more damage that could be done
through things like the United
States Patriot Act than there is through Google reading your general
communications. Anyone who has half a brain and wants to make sure their
communications are not intercepted is using cryptography for electronic
issues.
Astalavista : We've recently seen an
enormous increase of phishing attacks, some of which are very
successful. What caused this in your opinion? What is the way to limit
these from your point of view?
Dave : Reduce the
human factor involvement somehow. Phishing is just the new "cyber" term
for social engineering, which has existed forever. Through the efforts
of Guardian Digital, and other companies concerned about the privacy and
security of their customers' data, we are making great strides towards
user education, and providing tools for administrators to filter
commnications.
Astalavista : Spyware is another
major problem that created an industry of companies fighing it, and
while the government is slowly progressing on the issue, the majority of
PCs online are infected by spyware. Would you, please, share your
comments on the topic?
Dave : This issue is
different from issues such as phishing because the end-user is not aware
is it occurring. The responsibility here falls directly on the
operating system vendor to produce an
environment where security is
maintained. In other words, by creating software that enables the
end-user to better define what constitutes authorized access, users can
develop a situation where this type of attack does not succeed. In the
meantime, application-level security filters and strict corporate
information policies thwart many of these types of attacks.
Astalavista
: What do you think will happen in the near future with Linux vs.
Microsoft? Shall we witness more Linux desktops, or entire countries
will be renovating their infrastructure with
Unix-based operating systems?
Dave
: We are already seeing a growing trend on an international level in
the migration from Windows operating systems to Linux. Guardian Digital
has implemented several Linux-based solutions for multi-national and
international corporations who recognize the costs and security risks
associated with a Windows system, and if our business is any indication
of the growth potential, I'd say Microsoft is going to have a real fight
on their hands.
Although I'm not too involved in the desktop
space itself, I am completely comfortable with my cobbled-together Linux
desktop, much more than just a few years ago. I think that as more
and
more computing tasks become distributed - moved from the desktop to
being powered by a central server - it will become easier to rely on
Linux on the desktop and the growth will continue.
--------------------------------
Interview with Mitchell Rowton, http://www.securitydocs.com/
Astalavista
: Hello Mitchell, would you please tell us something more about your
background in the information security industry, and what is
SecurityDocs.com all about?
Mitchell : I joined
the US Marine Corps after high school. There I worked a helpdesk for a
year or so before moving on to being a server administrator. After a
while I became more and more interested in the networking side of things
(switches and routers.) Firewalls weren't used that often back then,
and one day I was asked to put up an access-control list (ACL) on our
borderrouter. After that I started getting more and more security
responsibility. When I left the Marine Corps I used my security
clearance to get a job as a DoD contractor, then a contractor in the
health care industry.
By this time in my life I had a wife and
kids. So I took a job that was more stable and didn't have as much
travel closer to home. When I think back, this is probably when the idea
behind SecurityDocs.com was born. While I was leaving one job and going
to another I was told to do a very in depth turnover about starting an
incident response team at the company. So how do you explain how to
start an incident response team at a fortune 500 company in a turnover
document? After a while I gave up and put several dozen links to white
papers that discuss starting an incident response team.
Basically
that's what SecurityDocs.com is - a collection of security white papers
that are organized into categories so that it's easy for someone to
learn any particular area.
Astalavista : The
media and a large number of privacy concious experts keep targeting
Google and how unseriously the company is taking the privacy concerns of
its users. What is your opinion on that? Do you think a public company
such as Google should keep to its one-page privacy policy and
contradictive statements given the fact that it's the world's most
popular
search engine?
Mitchell : I should
start off by saying that my company makes money through Google's Adsense
program. That being said, it seems like most of the media hoopla
surrounding Google privacy has centered around gmail and desktop search.
I just don't see a problem with either of these issues. I signed up for
gmail knowing that I would see targeted text ads based on the content
of e-mail that I was viewing.
And I know that Google is going to
learn some general stuff about everyones desktop searching habits. They
will know that pdf's are searched for more often than spreadsheets and
other non-specific information. None of which is personally
identifiable.
Astalavista : Phishing attacks are
on the rise, each and every month we see an increasing number of new
emails targeting new companies. What do you think of the recent exploit
of the SunTrust bank web site? Are users really falling victims to these
attacks or even worse, they're getting even more scared to shop online?
Mitchell
: The blame in this specific case falls mostly with the bank, but also
on the users. I can't remember the last time my bank asked me for my atm
or credit card number on a non-secure page. That being said, I know
that my grand mother would probably fall for this. Sure users should
check for SSL Certificates and use common sense. But more importantly
financial institutions should not allow cross site scripting or
malicious scripting injections.
If this type of phishing
continues to rise then I imagine it will make the average user a little
more worried about giving information online. This is bad for companies,
but as a security guy, I think that most users should be more worried
about who they give their information to. There are a lot of phishing
attacks that have nothing to do with the
institutions. In cases like this, users must use some basic security common sense or risk getting scammed.
Astalavista
: What used to be a worm in wild launched by a 15 years old kid or
hactivist, has recently turned into "DDoS services on demand", what do
you think made this possible? Is it the unemployed authors themselves,
the real criminals realizing the potential of the Internet, or the
unethical competition?
Mitchell : I'm sure it's a
combination of all three. But it's also getting more popular because it
hurts more today than it used to. Five years ago an organizations web
site was usually little more than an online brochure that wasn't too
important in the scheme of things. Today their website is probably
tightly integrated into their business model, and will cause a large
financial and reputation loss if it is compromised or unusable.
The
first step in doing a security assessment is to determine what's really
important. Most companies should realize that having the same security
mechanisms in place that they had three years ago is putting them more
and more at risk because these security mechanisms are protecting
information that gets more important every day.
Astalavista
: Recently, the FBI has been questioning Fyodor, the author of NMAP
over accessing server logs from insecure.org. Do you think these
actions, legal or not, can have any future implications on the users's
privacy at other web sites? I mean, next it could be any site believed
to be visited by a criminal, and besides all how useful this information
might be in an investigation?
Mitchell : I had a
mixed reaction when I first read about this. But I must say that Fyodor
handled this superbly. He sent an e-mail out telling people what was
happening and explaining that he was only complying with properly served
subpoenas. He also puts things into perspective. If someone hacks into a
server and downloads nmap at a specific time, then perhaps law
enforcement should be able to view the nmap server logs for that
specific time. On the other hand what if I were also downloading NMap at
that time? I personally wouldn't care if anyone knows that I download
nmap, but I can also understand why other people would be bothered by
this. Overall I agree with very narrow subpoenas directed at specific
time periods and source IP's.
Technorati tags :
Security,
Progenic,
Jason Scott,
Kevin Townsend,
Richard Menta,
Astalavista,
Candid Wuest,
Anthony Aykut,
David Wreski,
Mitchell Rowtow,
Björn Andreasson,
Dallas Con,
Nikolay Nedyalkov,
Roman Polesek,
Cryptome,
Eric Goldman,
Johannes Ullrich,
Daniel Brandt,
David Endler,
3APA3A
I just read an article from CNET on how "Skype could provide botnet controls", with which I totally disagree. Skype and VoIP communications can actually provide botner herders
with the opportunity to communicate, compared to acting as a platform
for malicious attacks. 
RSS Feed