Information Security News mailing list archives
Re: Hacking Demonstration Shows Dangers of E-Commerce
From: mea culpa <jericho () DIMENSIONAL COM>
Date: Sat, 6 Nov 1999 23:40:58 -0700
REPLY From: The Dodger <dodger () 2600 com>
Reshef learned the tricks of the trade during a five-year stint in the Israeli Defense Force. Ask him what unit he served in and he replies, ``I can't tell you.''
But he will say he recruited more than a dozen former military colleagues to help start Perfecto Technologies. They've cooked up a piece of software called AppShield, which Web sites can use to block the sort of hacking that Reshef demonstrated for us.
If I were a charitable person, I'd say that this sounds like hype to me. However, I'm not a charitable person, so I'll say what I think - this is crap. When it comes to security, despite what the firewall vendors and companies like Perfecto would have us believe, there is no silver bullet, no quick fix, no single piece of hardware or software which can automagically secure an ecommerce site. Security is an ongoing process and is composed of many different elements. Most important, in my opinion, is the allocation of resources to ensure that systems are designed to be secure from the ground up, and remain secure, by being maintained by well-trained staff who understand security and have the time to keep on top of security developments. I recently conducted an informal survey of thirty-odd systems administrators whose systems were insecure in one way or another, and the reason each one gave for their systems being insecure was that they didn't have enough time and security wasn't a high enough priority with the management. Therefore, it got neglected. This article is a perfect example of the sort of scaremongering and hype that Internet security startups are using to get media exposure. It basically equates to free advertising and is a sure sign that the company is thinking about an IPO. I also smell a rat in Reshef's refusal to say which IDF unit he served in. In most countries, people who work in secret organisations, whether they be army units or intelligence services, have a legend. For example, here in the UK, someone who works for the Secret Intelligence Service (commonly, but mistakenly referred to as MI6), if asked what he did for a living, would say that he was a civil servant in the Foreign & Commonwealth Office or the Ministry of Defence. If an SAS trooper is asked what regiment he's in, he'll name his parent regiment, rather than the Special Air Service. Saying "I can't tell you" isn't done. Besides all of this, AppShield is a bad concept. There are security problems with web application servers (in particular, with NT), but the vast majority of security flaws can be easily fixed. If they can't be fixed, then the software should be ditched. Taking another piece of software and sticking it over the top, like a plaster, is bad security policy. I must admit that, unlike Felix, I do actually feel that b/s like this has a place on the mailing list, because this is the sort of stuff we need to know about, so we can head it off at the pass, so to speak. These opinions are mine alone, and do not reflect the views of ISN, Security-Focus.COM or 2600.com. If you have a problem with them, raise the issue with me, not the list's owner. Dodger dodger () 2600 com ISN is sponsored by Security-Focus.COM
Current thread:
- Hacking Demonstration Shows Dangers of E-Commerce mea culpa (Nov 04)
- <Possible follow-ups>
- Re: Hacking Demonstration Shows Dangers of E-Commerce mea culpa (Nov 06)
- Re: Hacking Demonstration Shows Dangers of E-Commerce mea culpa (Nov 06)
- Re: Hacking Demonstration Shows Dangers of E-Commerce mea culpa (Nov 08)