Re: Hacking Demonstration Shows Dangers of E-Commerce

[mea culpa <jericho () DIMENSIONAL COM>]

REPLY From: The Dodger <dodger () 2600 com>

> Reshef learned the tricks of the trade during a
> five-year stint in the Israeli Defense Force. Ask him
> what unit he served in and he replies, ``I can't tell
> you.''

> But he will say he recruited more than a dozen
> former military colleagues to help start Perfecto
> Technologies. They've cooked up a piece of
> software called AppShield, which Web sites can
> use to block the sort of hacking that Reshef
> demonstrated for us.

If I were a charitable person, I'd say that this sounds like hype to me.
However, I'm not a charitable person, so I'll say what I think - this is
crap.

When it comes to security, despite what the firewall vendors and companies
like Perfecto would have us believe, there is no silver bullet, no quick
fix, no single piece of hardware or software which can automagically
secure an ecommerce site. Security is an ongoing process and is composed
of many different elements. Most important, in my opinion, is the
allocation of resources to ensure that systems are designed to be secure
from the ground up, and remain secure, by being maintained by well-trained
staff who understand security and have the time to keep on top of security
developments. I recently conducted an informal survey of thirty-odd
systems administrators whose systems were insecure in one way or another,
and the reason each one gave for their systems being insecure was that
they didn't have enough time and security wasn't a high enough priority
with the management. Therefore, it got neglected.

This article is a perfect example of the sort of scaremongering and hype
that Internet security startups are using to get media exposure. It
basically equates to free advertising and is a sure sign that the company
is thinking about an IPO.

I also smell a rat in Reshef's refusal to say which IDF unit he served in.
In most countries, people who work in secret organisations, whether they
be army units or intelligence services, have a legend. For example, here
in the UK, someone who works for the Secret Intelligence Service
(commonly, but mistakenly referred to as MI6), if asked what he did for a
living, would say that he was a civil servant in the Foreign &
Commonwealth Office or the Ministry of Defence. If an SAS trooper is asked
what regiment he's in, he'll name his parent regiment, rather than the
Special Air Service. Saying "I can't tell you" isn't done.

Besides all of this, AppShield is a bad concept. There are security
problems with web application servers (in particular, with NT), but the
vast majority of security flaws can be easily fixed. If they can't be
fixed, then the software should be ditched. Taking another piece of
software and sticking it over the top, like a plaster, is bad security
policy.

I must admit that, unlike Felix, I do actually feel that b/s like this has
a place on the mailing list, because this is the sort of stuff we need to
know about, so we can head it off at the pass, so to speak.

These opinions are mine alone, and do not reflect the views of ISN,
Security-Focus.COM or 2600.com. If you have a problem with them, raise the
issue with me, not the list's owner.


Dodger
dodger () 2600 com

ISN is sponsored by Security-Focus.COM