Re: Cracks in the Firewall

[InfoSec News <isn () c4i org>]

Forwarded from: security curmudgeon <jericho () attrition org>
cc: joe.duffy () us pwcglobal com

> http://www.businessweek.com/bwdaily/dnflash/apr2002/nf2002049_1803.htm
>
> APRIL 9, 2002 
> SECURITY NET 
> By Alex Salkever 
>
> Thanks to sophisticated new attack methods, computer security has to
> go beyond the old standby of merely keeping intruders out

> "DIFFERENT SCENARIO."  This explains why intruders increasingly play
> off this connectivity to target systems that require a certain
> degree of openness to function as a business tool. "The
> [pre-Internet] computing technologies were designed to keep people
> out. The Internet is all about letting people in. That's a different
> security scenario,"  explains Joe Duffy, national security practice
> manager for PricewaterhouseCoopers.

Well, I think this pretty much establishes that Joe Duffy was not on
the net before 1995 or so.

Hrm, let's find his bio.

Joe Duffy is Lead Partner for the National Security Practice of
PricewaterhouseCoopers. An author and frequent speaker on business
technology issues, Mr. Duffy is responsible for the strategic
direction, growth and vision of the US Security Practice for
PricewaterhouseCoopers.

That screams "upper management" and "i have a problem comprehending a
mouse with three buttons" to me.

First, what is "pre-Internet" computing? Talking about the mainframes
of 1960? Since the Internet was basically founded/born/created in
1969, that would put his statement somewhere between "absurd" and
"fucking stupid". I hate to be the one who beats Duffy with a
clue-by-four, but computers and operating systems were NOT designed to
keep people out "pre-Internet", pre 1995 (my guess as to his online
history), or even today. Wonder if Duffy has installed a copy of NT or
Linux lately and noticed that the security posture screams "bend me
over"? I'd guess not.

> Other insights can be gleaned from ISS's inaugural quarterly report.  
> Until recently, the most common type of Internet attack was "denial
> of service," whereby malicious hackers break into computers
> connected to the Net and command them to fire incessant data
> requests at a Web site. That shuts off access to the site and can
> damage it.

I'd love to see the details that went into this study and figures.
There seems to be a lot of leeway here as to what one considers
"attack", how you qualify seperate attacks, etc.

If an attacker breaks into a machine to be able to launch a DoS
attack, then wouldn't it be closer to a 1:1 ratio between non DOS
compromises and DoS attacks? Especially DDoS attacks that have kids
breaking into 1,000 machines to create their zombie army. Add on to
that the regular non DoS kiddies, and it seems that DoS attacks might
not be the most prevalent. Also factor in tracing DoS attacks since
they all spoof their packets and are a bitch to track back. Factor in
that none of the backbone ISPs will lift a finger to trace those
attacks, instead they just block all the traffic at a border router
and celebrate a job well done. The nature of non DoS, non defacing
attacks is to stay hidden. That has historically made any type of
computer crime/hacking statistic difficult to pin down.

All in all, I don't think these statements can easily be made short of
a lot more research.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.