Re[6]: Response to comments on Security and Obscurity

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear James Tucker,


--Thursday, September 2, 2004, 3:16:45 PM, you wrote to 3apa3a () security nnov ru:


> > Even  more.  This  is  very  common  scenario  and this scenario must be
> > covered  by security policy. You either unfamiliar with this problem our
> > your information is out of date.

JT> Security policies never "go out of date" and this scenario as you
JT> agreed with me, is still common today. If it is still common then
JT> please explain how is this "out of date"?

Security  policy  is  never our of date because it's reviewed on regular
basis.  It's  your  information  about available solution that is out of
date.

JT> Even viri don't go "out of date", although many virus checkers
JT> probably don't hold some of the really old DOS, amiga, apple and unix

First,  you constantly mess virii with worms and trojans. OK, lets think
as  you  said  "malware".  If  malware  is out of date or not depends on
protection  method you use against it. If you use antivirus - OK. You're
protected  against known viruses and may be some future modifications of
known  viruses.  This  is  very  poor  protection.  A good protection is
creating  sandboxes on application, OS or hardware level. For example in
a  very  simple case user can only run a signed application from allowed
list most virii become out of date.

In  fact,  a  problem  of virii is one of the largest and most expensive
hoaxes.  Antiviral  program  gives  no protection. You can treat it as a
kind   of  auditing  tool  which  can  alert  you  in  a  case  of  poor
administration  (you  must sack your administrator if you catch virii on
your  internal  network)  and filter some junk mail on your mail server,
like SPAM filter does.

JT> virus  definitions.  As  we  have seen in another discussion on this
JT> list  there  may  well  still  be  a risk of possible infection over
JT> RS232,  no  mater  how  unlikely it is, I respect the author of that
JT> question  for asking about such possibilities. He was clearly trying
JT> to cover all bases.

I  have  different  opinions  on  this  question.  I  do  not  read this
discussion  because I know answer, even for the case there is no network
protocol  bound  to  port and no software service listening on it. I can
point  you  to  real  life exploit with executing code directly from the
port  (of  cause,  if you want to learn this dirty exploitation things).
See "Bonus" section in
http://www.security.nnov.ru/search/document.asp?docid=6145

JT> I am aware of this, however follow the same scenario through to
JT> fruition and you will find the CEO doesn't bother to take out his
JT> smart card, at least for the first 6 months of having one. Education

It means spending first 6 months without leaving a room for him, because
he will not be able to leave the room without taking out his smart card.
As  far  as I know human organism resources, you will need new CEO after
one week if there is no water supply in the room. It must be really good
test for CEO's IQ.

JT> it would have been more efficient
JT> to pay a guard to stand at the door.

And  to pay another guard to look after first guard, because he can also
leave  for  launch.  More  people have access to the system, less secure
system is. Today it's human to become weakest chain in security.

-- 
~/ZARAZA
Машина оказалась способной к единственному действию,
а именно умножению 2x2, да и то при этом ошибаясь. (Лем)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html