Exploits and large companies | How nothing has changed since 1998

header

I am posting something a bit different today a opinion article on something I feel to be true. The basis is from a video from 1998’s L0pht testimony and a comparison of how little things have changed since then.

Recently in the Washington Post there was an article about the hacker group called L0pht and their plea to the government on how private companies need to be responsible for the software they put online. They were trying to bring to light that if you want a more secure system then don’t put it online. This does not mean that offline systems are impervious to attacks either.  The testimonial is worth the 1 hour run time and I recommend you listen to it on youtube. It is very important if your business is accountable for holding data records, login info, and customer info. This is not related to my previous article but rather all kinds of software I see day in and day out.

I just wanted to touch on a few items on the video that I believe to still be prevalent in todays online culture and mentality of corporate security.

“Can the systems be secured? In most cases they can be … they can be remedied by incorporating relatively trivial and inexpensive cryptographically secure authentication.”
Often some of the insecure items I come across are due to no security at all, whether they end up using plain text to store data in the database or don’t use common and readily available technologies like HTTPS or TLS in order to transmit over public forms of communication. Having something is always better than having nothing.

“Insecure software is cheaper and easier to sell as there is no liability tied to the manufactures” … “encourage companies to include this [security] in their products and hold them liable when their products fail.” 
Selling software is easy, ensuring it has perfect security is impossible. No product will ever be truly secure, it is not a matter of if but rather when.

“I don’t think it is possible to create a fool proof system, but I don’t think that should be the goal. The goal should be very difficult to get in.”
Putting hurdles in the way of would be exploiters slows them down and keeps away the script kiddies. This in combination with monitoring incursion events would keep organisations aware. Security needs to roll forward with the times, it is not something you can deploy and hope it will work for the lifetime of the product.

“If you have sensitive information then you should not share it with networks that are less secure or less trusted”
As straight forward as this sounds it could be a simple as allowing VPN users from outside of the office in or more commonly BYOD enrollment in the office.

So that leaves us with what can be done about it.
For starters listen and be aware to what is going on in both the industry and with your own systems. I am not saying go out now and update your Watchguard and Ironport devices and patching every device on the network. Simply I am referring to read up on what is going on, is there a new exploit for TLS downgrading that could affect my S3 instance? Are my offsite backups stored in an encrypted manner? Is there documentation on how strong this manner stands up to bruteforce techniques? Have I looked at the FTP logs for unusual activity? Maybe I should not have a FTP account that could expose the internal file server.  All of these questions lead to new avenues of learning and awareness.

Also, listen to users who are trying to help. Its much easier and cheaper to ignore a problem, however when a internal or external user lets you know there is a issue with the current implementation list, getting upset will only make the user think twice about letting you know in the future. I see this as one of the biggest roadblocks on reporting issues. It is far easier to sell a exploit online and actually make money than it is to report it and then have pressure from the company. In a more recent example with starbucks. Imagine if this exploit was sold.
“The unpleasant part is a guy from Starbucks calling me with nothing like “thanks” but mentioning “fraud” and “malicious actions” instead.”
The selling of zero days and exploits also hurt the company far more than if they were to fix it after it was disclosed to them. This comes at a higher cost to both the organization and the clients that had put their faith and more importantly their data into the organization.

Leave a Reply

Your email address will not be published. Required fields are marked *

Anti-Spam Quiz: