If the Internet is so full of holes, where are all the incidents?

ecksor

http://www.wired.com/news/infostructure/0,1377,56955,00.html

Are things as bad as some say? Or are things actually rosy and the risks exaggerated?

I'm still tending towards the first view

hmmm

Depends who "they" are

Some risks are overhyped (what's this whole SSL thing for anyway, oh noo some Israeli has released a new virus and it can eat your hard disk rush out and upgrade to Koala anti virus 2003)

Some risks are underhyped (broadband = ddos zombie, outlook needs to be patched, don't click on accept the install when you get a popup)

STaN

i duno, i havent heard much of the malicious side of internet security i.e. people OUT TO GET THE WORLD etc.

Its probably very contained.

Would i be right in saying that there is a kind of honour [EDIT: bad phrase] among security experts?

yellum

Glad you edited that STaN. I don't think you meant to imply that security people were thieves.

I think those that have the ability to do very bad things to the net don't as they have some moral code. Thank god. People like L0pht talk about how insecure the net is and how they could disable it pdq if they wanted to. I'm glad they're mature enough to not do this or create a script for kiddies to do it.

I suppose the more knowledge one gains the more enlightened one becomes.

ecksor

Enlightenment isn't necessarily going to conform to something that benefits all of us.

Random thought leading to the thought (in my head anyway), maybe there's a cyber equivilent of the unabomber waiting to happen.

STaN

Originally posted by yellum
Glad you edited that STaN. I don't think you meant to imply that security people were thieves.

still sound bad :eek:

argh i duno, didnt mean anything of the sort tbh was just trying to convey a sence of comradery and using a phrase taken from tv

tom-thebox

Originally posted by hmmm
Depends who "they" are
Some risks are overhyped (what's this whole SSL thing for anyway, oh noo some Israeli has released a new virus and it can eat your hard disk rush out and upgrade to Koala anti virus 2003)

True some risks may be overhyped in some peoples eye's but I assure you as any one with a interest in security will, the openssl alerts last year where in no way over hyped.

Mass tools such as the scanner in openssl-too-open by Solar Eclipse and the Slapper worm are still causing problems for many people.

Like there where OpenSSL flaws which spawned local apache shells for bsd and linux users last year I would hardly pick that out as being low risk and not worth while giving a bit of hype.

Taken some of the MircoSoft flaws make headline news for very little reason but thats only because its cool these days to not like Microsoft

10 to 1 odds you wont get many Microsoft flaws on any ones 0DD list.

Evac101

Cupla focal -

One - Security threats are becoming increasingly rarefied things - not in the frequency with which they appear but with the level of knowledge and intelligence to first discover a potential security hole and then to be able to create a virus/bug which can exploit the hole in a mass method with an inherent difficulty to counter it. (To use an analogy - to bring the bug from 'cult' to 'popular culture' status and then to make it difficult to eradicate).

Secondly the level of user knowledge as regards updating virus definitions and secure browsing practices has risen dramatically in the last few years, helping to limit the impact of any virus which doesn't blitzkreig the net - a 15 day delay these days between first report to the virus companies and a general attack by a virus severly limits the potential damage the bug can attain.

My 2 cents - or .00001 of the old pennies.

Evac

STaN

from enn...

US authorities are investigating what has been described as the largest and most sophisticated attack on the backbone of the Internet.

At approximately 10pm Irish time on Monday, a distributed denial of service (DDOS) attack reportedly hit the Internet's 13 "root servers," which provide the main roadmap for almost all Internet communications. The attack lasted for about an hour, reports say, but Internet users around the globe were mostly unaffected.

The FBI's National Infrastructure Protection Centre (NIPC) said it was investigating the incident, as did law enforcement authorities across the US federal government.

Some reports say as many as eight of the 13 computers were rendered inaccessible due to the attack, but this was not enough to shut down the Internet. Ten of the 13 machines are located in the US, many in the Washington DC area. Internet registrar Verisign, which operates two of the 13 servers, said the attacks did not impact its machines. Other known root server operators include NASA, the US Army, ICANN and the Internet Software Consortium.

more here: http://www.enn.ie/news.html?code=8666042

DeVore

I often wonder if the people who report really obscure bugs also go into peoples houses to let them know that glass windows can be smashed too...

DeV.

ecksor

Grrr. Go troll elsewhere.

Talliesin

DeVore is both right and wrong.

It's important for security researchers to report obscure bugs. For one thing obscure bugs can end-up being part of particularly bad holes. Consider for example some of the utf8-based attacks on IIS a year or so back. The biggest part of that was an oversight that was predicted back when RFC2279 was written, and is included in the security considerations section thereof.

Here what was an obscure and theoretical exploit became a serious and reliable way of exploiting IIS.

The problem is the level of reportage. Relatively insignificant finds are the most frequent outcome of all research, whatever the field, but mostly they are primarily read by people working in that field. With computer security being the geek equivalent of being "well 'ard" there is a tendency for people, sometimes the researchers themselves, but more often journalists and people on lists and boards like this one, to over-emphasise them.

Many lists witness the phenomena of a rush to be the first to post information on the latest virus, worm or sploit in the hope it will bring kudos.

The sad thing is that many reading this reportage are not getting the kind of simple, common-sense security advice they could actually benefit from

ecksor

I agree with you. However, in his own way he's seems to equate experts with thieves, whereas the overlap is quite small.

(and to use the analogy, if everyone thought that their small windows weren't breakable, then maybe it would be a good idea to point out the truth. In the real world, people do know that glass is brittle.)

tom-thebox

Originally posted by ecksor
seems to equate experts with thieves,

I always wondered why there where so many security checks on leaving defcon.




Regards

tom-thebox

it was meant as a joke, but thanks for your expert security advice belam as always its on point.





Best Regards

ecksor

Thanks for the security advice, bedlam.

tom-thebox