Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)

[Gadi Evron <ge () linuxbox org>]

On Sat, 10 Feb 2007, Sean Donelan wrote:
> On Tue, 6 Feb 2007, Roy wrote:
> > Its amazing how reporters has to butcher technology information to make it 
> > understood by their editors
> >
> > http://www.cnn.com/2007/TECH/internet/02/06/internet.attacks.ap/index.html?eref=rss_topstories
>
> Do we keep missing opportunities?
>
> Yes, it was a minor incident, just like a minor earthquake, the hurricane 
> that doesn't hit, the fire that is exitinguished. But it was also an 
> opportunity to get the message out to the public about the things they 
> can do to take control.
>
> We remind people what to do in a tornado, earthquake, flood, hurricane, 
> etc.  This on-going education does help; even though some people still
> drive their cars through moving water or go outside to watch the tornado.

Colin Powell mentioned at RSA in his extremely good, entertaining and
pointless talk something of relevance. During the cold war American kids
were trained to hide beneath their desktops in caseof a nuclear
attack. Much good that would have done.

> Instead of pointing fingers at South Korea, China, etc, every country
> with compromised computers (all of them) are the problem.  The United 
> States may be slow as far as broadband, but it makes up for it in the 
> number of compromised computers.
>
> We may know the drill, but it doesn't hurt to repeat message everytime
> we have the public's attention for 15 seconds.

And yet, can a non-trained user understand what "awareness" means?

> 1. Turn on Automatic Update if your computer isn't managed by a full-time 
> IT group.
>
>     Microsoft Windows, Apple MAC OS/X, and several versions of Linux
>     have Automatic Update available.  Most vendors make security patches
>     available to users whether or not the software is licensed or
>     un-licensed.
>
>     Zero day exploits may be sexy and get the press attention, but the
>     long-term problem are the computers that never get patched.  The VML
>     exploit on the football stadium websites was patched last month; but
>     its not how fast a patch is released, its how fast people install it.

Amen. 0days have become something petrifying. At my talk at RSA on
the subject of 0days and ZERT I started by asking what a 0day
is. Any guesses as to how many answers I got?

One Answer I did get was that we are all petrified as we can't do
anything about it (not true) and won't know about it.

I am of the strong belief one should take care of known vulnerabilities
first, then start worrying about 0days. That's one thing anyone can start
the process of doing (and for organizations, this can take years) which
will also result in a better infrastructure to contain and respond to 0day
attacks.

Still, how many users know how to turn on automatic updates? We are likely
to see them go to google, type in "automatic updates" and end up
downloading malware.

> 2. Use a hardware firewall/router for your broadband connection and turn 
> on the software firewall on your computer in case you ever move your
> computer to a different network.
>
>      Use Wireless security (WEP, WPA, VPN, SSL, etc) if using a WiFi access
>      point, or turn off the radio on both your home gateway and computer
>      if you are not using WiFi.

How??

This is where providers can chime in, and provide with pre-secured
hardware to any level which is above "come and rape me".

> 3. Even if your computer is secure, miscreants depend on your trust. Be 
> suspicious of messages, files, software; even if it appears to come from a 
> person or company you trust.

How do I determine what is suspicious? This is a message telling me my
mother is sick!

>     Anti-spam, anti-spyware, anit-virus, anti-phishing tools can help.  But
>     don't assume because you are using them, you can click on everything
>     and still be safe.  The miscreants are always finding new ways around
>     them.

This is too complicated. I don't understand. So you give me a solution,
use this and that tool, and then I need to be careful yet again?

>     It may just be human nature, but people seem to engage in more risky
>     behavior when they believe they are protected.

The 4-bit encryption issue. I am encrypted and thus protected.

I would argue email is simply not a secure medium by which to recieve
files. Call and verify when in doubt.

"If approached by phone, email or any other medium, verify the source
independently in an unrelated fashion to any instructions provided
in that approach, before trusting it."

> 4. If your computer is compromised, unplug it until you can get it fixed.
>
>      Its not going to fix itself, and ignoring the problem is just going
>      to get worse.

A user won't unplug him or herself. An ISP might. Today the economy of
this changes enough for quite some ISPs to decide it is better to kick a
user than give him or her tech support. Enter walled garden.

        Gadi.