Linked by David Adams on Tue 28th Jun 2011 15:35 UTC, submitted by HAL2001
Privacy, Security, Encryption In an unexpected move for a security company, SecurEnvoy today said that cyber break-ins and advanced malware incidents, such as the recent DDoS attack by LulzSec, should actually be welcomed and their initiators applauded. The company's CTO Andy Kemshall said: "I firmly believe that the media attention LulzSec’s DDoS attack has recently received is deserving. It’s thanks to these guys, who’re exposing the blase attitudes of government and businesses without any personal financial gain, that will make a difference in the long term to the security being put in place to protect our own personal data!"
Order by: Score:
Translation Error
by fretinator on Tue 28th Jun 2011 16:07 UTC
fretinator
Member since:
2005-07-06

I think what he actually said better translates as:

1. Hax0r$, please don't pwn us!
2. Thanks for the $$$

Reply Score: 6

Of course
by Narishma on Tue 28th Jun 2011 16:10 UTC
Narishma
Member since:
2005-07-06

Of course a security company would say that. It means more money for them.

Edited 2011-06-28 16:12 UTC

Reply Score: 6

Comment by MORB
by MORB on Tue 28th Jun 2011 16:27 UTC
MORB
Member since:
2005-07-06

They do have a point, though. All those companies that got hacked had crappy security yet are always demanding personal information from their customers to use their products.

People should be happy that those security holes weren't found first by more malicious people than lulzsec.

Reply Score: 6

RE: Comment by MORB
by Alfman on Tue 28th Jun 2011 16:39 UTC in reply to "Comment by MORB"
Alfman Member since:
2011-01-28

MORB,

"They do have a point, though. All those companies that got hacked had crappy security yet are always demanding personal information from their customers to use their products."


In so far as the data breaches expose a vulnerability which the company then fixes, then yes the company's security could benefit in the long term. There's nothing like an attack to raise awareness. However in context of the piece quoted, the vendor specifically mentions that DDoS encourage better data security, which is idiotic.

There's no connection between bandwidth limitations and data security. If you can't keep up with the attacker/botnet, then your dead. It doesn't indicate anything about bad security practices.

Reply Score: 5

RE[2]: Comment by MORB
by sagum on Tue 28th Jun 2011 19:51 UTC in reply to "RE: Comment by MORB"
sagum Member since:
2006-01-23

...in context of the piece quoted, the vendor specifically mentions that DDoS encourage better data security, which is idiotic.


There's no connection between bandwidth limitations and data security. If you can't keep up with the attacker/botnet, then your dead. It doesn't indicate anything about bad security practices.


Except these recent DDoS attacks haven't been just about raw fragmented packets hitting the server with more bandwidth then the server can handle.

If you look at the LOIC that the anonymous group use, they target a website to request pages that take up vast amounts of resources, be it memory, server side scripting or database load.

An example would be searching in the help section of a website and searching for a common word, or even letter such as 'a' and the search results taking several seconds per request due to high CPU time or Database load on the servers. In this instance, just a few people (sometimes even 1 person) can take down a website simply because of bad code.

Reply Score: 2

RE[3]: Comment by MORB
by Alfman on Tue 28th Jun 2011 20:48 UTC in reply to "RE[2]: Comment by MORB"
Alfman Member since:
2011-01-28

sagum,

"If you look at the LOIC that the anonymous group use, they target a website to request pages that take up vast amounts of resources, be it memory, server side scripting or database load."

"In this instance, just a few people (sometimes even 1 person) can take down a website simply because of bad code."

Believe me when I say that I'm a huge advocate of running efficient code. However you have to admit that depleting the server of resources by running useless (yet valid+legal) queries is not nearly the same thing as taking over the server through a security vulnerability.

Reply Score: 3

RE[4]: Comment by MORB
by Neolander on Wed 29th Jun 2011 07:39 UTC in reply to "RE[3]: Comment by MORB"
Neolander Member since:
2010-03-08

It's certainly not the same, but if there's a way to take a server down with a small amount of organization/friends, due to the way the software running on this server works, it's another form of security vulnerability.

Reply Score: 1

RE[5]: Comment by MORB
by Alfman on Wed 29th Jun 2011 12:45 UTC in reply to "RE[4]: Comment by MORB"
Alfman Member since:
2011-01-28

Neolander,

"It's certainly not the same, but if there's a way to take a server down with a small amount of organization/friends, due to the way the software running on this server works, it's another form of security vulnerability."

This speaks to unscalable designs and systems, however a company can find itself in a situation where systems can handle the legitimate load of X customers, but not X + Y attackers. I'm uncomfortable with the conclusion that a company out to design the infrastructure to handle X customers + Y attacks.


Edit: Although, what choice is there?

Edited 2011-06-29 12:53 UTC

Reply Score: 2

RE[5]: Comment by MORB
by Soulbender on Wed 29th Jun 2011 14:58 UTC in reply to "RE[4]: Comment by MORB"
Soulbender Member since:
2005-08-18

Availability != security.
The fact that a site wasn't designed to withstand a DDoS does not mean it suffers from a security problem and neither is inefficient code a security problem.
It's usually not feasible to start out with a site and infrastructure designed to handle the volume of YouTube or Facebook or a DDoS.
Deploy now, get customers and worry about scalability when the need arises. Even a DDoS once or twice is not a cause for concern unless it has a major impact on your bottom line and/or is caused by a security problem.
Some wise guy said something about premature optimization a long time ago and it's still true.

Reply Score: 2

RE[6]: Comment by MORB
by Alfman on Wed 29th Jun 2011 15:52 UTC in reply to "RE[5]: Comment by MORB"
Alfman Member since:
2011-01-28

Soulbender,

"Some wise guy said something about premature optimization a long time ago and it's still true."

I agreed with you up until this point. Too many people in CS use the quote above to justify designs with very poor scalability. Never forget that the quote was from the 1970s when the inefficiency typical of computing today was not yet conceivable. I'm afraid if modern day CS developers were sent back in time to work with Knuth, the quote you'd be reading would be quite different.

Reply Score: 2

RE[7]: Comment by MORB
by Soulbender on Wed 29th Jun 2011 16:05 UTC in reply to "RE[6]: Comment by MORB"
Soulbender Member since:
2005-08-18

Yeah, it's indeed much overused but it does apply in this situation. It's most often not wise to spend time and money designing for immense scalability before you launch. Try to make good engineering decisions that won't hamper you later on but don't sweat it until your userbase and traffic start to really increase.

Reply Score: 2

jabbotts Member since:
2007-09-06

I'd suggest that DDoS vulnerability is indeed a security issue. Security is not just concerned with protecting the information in that one box. It is also concerned with protecting the system resources for legitimate use. A denial of service removes resources from legitimate users.

If your network gets flooded out by packets, you have a security mechanism failing to filter packets properly.

If your software gets crashed into a denial of service condition, you have an exploitable vulnerability in the code that needs to be addressed.

If your website takes down your webserver due to resource exhaustion through a designed website function, you have site code that needs to be addressed.

The information systems are a business resource that need to be protected in addition to the information those systems house. Denial of service demonstrates an exploitable flaw in the security of those systems.

Reply Score: 2

Alfman Member since:
2011-01-28

jabbotts,

"I'd suggest that DDoS vulnerability is indeed a security issue. Security is not just concerned with protecting the information in that one box. It is also concerned with protecting the system resources for legitimate use. A denial of service removes resources from legitimate users."

This is all true, however you've overlooked a crucial element: in a well designed large scale DDoS attack, the victim doesn't know the attackers from legitimate customers.


"If your network gets flooded out by packets, you have a security mechanism failing to filter packets properly."

Two problems:
1. A filter is useless when the attacker's botnet has more bandwidth than you. Even an OC3 (which was considered large enough for my whole university) is easily saturated by a few hundred broadband users.

2. What kind of filter do you use? If you detect excessive bandwidth on an IP you can block it, but it may or may not be legitimate. Consider a bunch of mobile users being a proxy/nat router, you're filter could inadvertently block all of them.

"If your software gets crashed into a denial of service condition, you have an exploitable vulnerability in the code that needs to be addressed."

Well granted, the software should never crash. In the worse case, a busy server should start returning something like error 500 in http-speak.


"If your website takes down your webserver due to resource exhaustion through a designed website function, you have site code that needs to be addressed."

You're totally oversimplifying the issue to imply that code is at fault. Assuming you actually have enough bandwidth in the first place (which isn't likely for most small/medium businesses), then there are other local bottlenecks which will require infrastructure upgrades to eliminate. Databases quickly become saturated. Even ordinary web servers can start thrashing if the attackers deliberately request pieces of material which are unlikely to be cached. This causes random disks seeks well in excess of normal load. A typical disk seek is 5ms, if the attacker successfully requests an uncached file each time, then both normal users and attackers will reach a limit of 200 requests/sec.


"The information systems are a business resource that need to be protected in addition to the information those systems house. Denial of service demonstrates an exploitable flaw in the security of those systems."

Hopefully I've gotten my point across that being vulnerable to DDoS doesn't imply a security vulnerability. As Soulbender stated already "Availability != security."

I'd gladly discuss any usable ideas you have, but DDoS isn't as easy to solve as you make it out.

Reply Score: 2

Security Vendor??
by Alfman on Tue 28th Jun 2011 16:32 UTC
Alfman
Member since:
2011-01-28

"I firmly believe that the media attention LulzSec’s DDoS attack has recently received is deserving. It’s thanks to these guys, who’re exposing the blasé attitudes of government and businesses without any personal financial gain, that will make a difference in the long term to the security being put in place to protect our own personal data!"

Wow, that's more than a little ignorant.

A DDoS attack does not help improve data security at all. DDoSing does not expose a data security vulnerability which needs to be fixed. Once the DDoS is over - there's nothing to do within one's network to prevent it from happening again.

Reply Score: 3

RE: Security Vendor??
by Soulbender on Tue 28th Jun 2011 18:01 UTC in reply to "Security Vendor??"
Soulbender Member since:
2005-08-18

Yeah, well, have you looked at the products SecureEnvoy peddles? Their "securemail' solution uses SMS (which we all know is awesomely secure and super encrypted) to deliver "secure" email.
There's a word for it and the word is snakeoil so it isn't exactly surprising he wouldn't have a clue.

Reply Score: 2

RE: Security Vendor??
by umccullough on Tue 28th Jun 2011 18:16 UTC in reply to "Security Vendor??"
umccullough Member since:
2006-01-26

Wow, that's more than a little ignorant.

A DDoS attack does not help improve data security at all.


I'll agree with you that a DDoS attack does not demonstrate a lack of security... and this "security" company should know better than to call the attacks from LulzSec DDoS attacks. They clearly infiltrated "secure" systems, extracted data illegally, and released it publicly. That's far from being a DDoS attack.

I would agree that the LulzSec attacks did shine more sunlight on the pitiful security practices that corporations and governments put in place to make things seem secure - but this SecurEnvoy CTO is clearly making idiotic statements.

Reply Score: 3

private info
by jack_perry on Tue 28th Jun 2011 17:06 UTC
jack_perry
Member since:
2005-07-06

If all they had done was to show weaknesses, then fine. But they also posted private info gleaned from databases, things like passwords, emails, & such -- not the worst they could do, for sure, but still a nontrivial tick upward on the creep-o-meter.

Reply Score: 2

RE: private info
by Neolander on Tue 28th Jun 2011 17:52 UTC in reply to "private info"
Neolander Member since:
2010-03-08

More creepiness = more money for security companies. Their whole business is based on fear and distrust, after all...

...

Kind of like nuclear weapon engineering, in fact.

Edited 2011-06-28 17:52 UTC

Reply Score: 2

RE[2]: private info
by Soulbender on Tue 28th Jun 2011 17:55 UTC in reply to "RE: private info"
Soulbender Member since:
2005-08-18

makes you wonder who might have really been behind lulz, doesn't it.

Reply Score: 3

RE[3]: private info
by Neolander on Tue 28th Jun 2011 18:17 UTC in reply to "RE[2]: private info"
Neolander Member since:
2010-03-08

Even if it wasn't the case to start with, it is to be expected that the LulzSec members will soon be offered golden job opportunities...

Reply Score: 1

RE[4]: private info
by Soulbender on Tue 28th Jun 2011 18:24 UTC in reply to "RE[3]: private info"
Soulbender Member since:
2005-08-18

And people say crime doesn't pay.

Reply Score: 2

RE[5]: private info
by Neolander on Tue 28th Jun 2011 18:33 UTC in reply to "RE[4]: private info"
Neolander Member since:
2010-03-08

The very existence of hit men is a proof of the contrary.

Edited 2011-06-28 18:39 UTC

Reply Score: 1

RE[5]: private info
by Alfman on Tue 28th Jun 2011 19:05 UTC in reply to "RE[4]: private info"
Alfman Member since:
2011-01-28

Soulbender,

"And people say crime doesn't pay."

If that were true, we wouldn't have crime.

Reply Score: 2

RE[6]: private info
by Soulbender on Tue 28th Jun 2011 19:22 UTC in reply to "RE[5]: private info"
Soulbender Member since:
2005-08-18

True. In this case crime is outright encouraged though which is different from robbing the local 7/11 or selling smack at school.

Reply Score: 2

RE[7]: private info - exploited maybe
by jabbotts on Thu 30th Jun 2011 16:37 UTC in reply to "RE[6]: private info"
jabbotts Member since:
2007-09-06

I'd say Lulzsec's crimes are being esploited more than encouraged. People are taking the opertunity presented by the last month and a half's events and applying it to all sorts of agenda's. Some honorable, some benign, some profiteering.

I don't think honorable infosec folks makeing the best of the opertunity is the same as openly encouraging such behavior. Granted, those who are encouraging further criminal acts and irresponsible disclosures are equally as irresponsible.

Responsible disclosure could equally motivate big business to take it's customer's data more seriously if one is really in it to improve security.

Reply Score: 2

"In an unexpected move"
by jabbotts on Thu 30th Jun 2011 15:23 UTC
jabbotts
Member since:
2007-09-06

Unexpected? What is unexpected is that this hasn't happened sooner.

Security service and, even more so, appliance vendors rely heavily on the Fear Sell pitch; "buy our product else bad guys will be able to harm you."

For security vendors, Lulzsec provides a fantastic bit of recent news to base marketing around. "buy our product else *these* bad guys will be able to harm you."

Reply Score: 2