• This is a stand-to for an incoming competition, one of our most expensive yet.
    Later this week we're going to be offering the opportunity to Win £270 Rab Neutrino Pro military down jacket
    Visit the thread at that link above and Watch it to be notified as soon as the competition goes live

GCHQ's National Cyber Security Centre opens for business following delays

Wordsmith

LE
Book Reviewer
#61
When you say software companies are you referring to all companies or just the big players like microsoft etc.
Software companies vary enormously. Microsoft (for example) continue to support obsolete protocols like SSLv2. Why don't they put an end of life date on it (like they do with older version of their software)? I've lost count of the number of reports that I've seen where the company being assessed hasn't disabled support for it.

Oracle are secure by default these days. (I'm an ex-inmate of that asylum). But they make it possible to significantly relax the security requirements. And guess what - companies that can't afford an Oracle DBA relax the requirements to make the systems easier to maintain.

Another small IT company I worked for quite a few years ago developed their own reversible proprietary encryption method and for a number of builds thoughtfully shipped a small tool to reverse the password hashes because the support staff at our customers asked for it. (EM may have got involved on that one...)

There are clearly IT companies that make secure software - it's the nature of the computer security industry that you learn more about the software houses that ship insecure software.

Wordsmith
 

Sarastro

LE
Kit Reviewer
Book Reviewer
#62
I've always been taken with Bruce Schneier's suggestion that software companies should be made legally liable for faults in their software, much like car companies are responsible for selling a product that has been safely designed and put together. At present a software company can put out a product with glaring security holes and not be legally liable if the end user gets breached because of it. Make the software company legally liable and maybe they'd make their software a bit more secure.
I'm afraid that is the kind of terrible suggestion that comes from soldiers or civil servants or politicians or security specialists: people with a terrible track record of thinking about the wider consequences of such decisions. The obvious reason why is that the car industry, and the road system, are nothing like the software / hardware / network world, and are never going to be. The immediate result would almost certainly be a sustained worldwide recession in the tech, and quite probably therefore global, economy.

Legal liability alone would immediately prompt huge class action lawsuits against software companies, because as you know ALL software has multiple flaws. Criminals would probably benefit as new front in cyber-blackmail would open up, where instead of building toolkits to target the wider ecosystem, black hats and their sponsors would simply blackmail software companies to keep vulnerabilities secret, also undermining the current security ecosystem which relies on vulnerabilities being shared with manufacturers. Open source software would disappear as all the groups that made it were sued or shut up shop at the risk. Production of new software would slow to a crawl. Since the basic problem is that there is a global shortage of developer talent, there simply isn't the manpower to fix this without huge changes in education system, so any advances would take a lot of time.

The problem doesn't exist because centralised, proprietary style organisations do things badly, although often they do. Equally, treating this as a 20th century style problem where you can just sue the organisation will not fix it.

The problem exists because the infrastructure, networks, and nature of the hardware are all designed to be insecure and highly interoperable. This is not the case with, for example, the car industry and road networks, which are designed with safety in mind first. You cannot just sue the software companies, because fundamentally they make products to someone else's standards. The PC / Android approach to hardware builds makes coherent security standards largely impossible, despite some effort, because it is impossible to understand or specify the impact of combinations used. Networks and network protocols were designed to be open, with security added as an afterthought. Even new standards aren't vastly more secure, blame ICANN for that, not Microsoft. But don't blame ICANN, because there are good reasons to keep things open, which mean by default they will be less secure. So even if you hit companies with punitive legal responsibilities for things they actually can't reasonably fix, and swallowed the resulting recession, you would simply alter the class of security flaws that criminals would exploit.

There is a reason this hasn't been done.

Ship the software with a strong default configuration and require the company installing it to keep a risk register if they relax that default configuration and so on. Even better, hard code in requirements so you can't configure the software below certain minimum standards - for example all passwords must be a minimum of 8 characters long, have a mixture of upper case letters, lower case letters, numbers, special characters and and can't use any of (say) 500 common dictionary words as a base for the password.

It'll take a holistic approach like the above to make some form of impact on the problem.

Wordsmith
Again, sorry but you use two examples that actually wouldn't change anything, because they are the wrong or pointless advice.

Risk registers don't do anything except make accountability easier when things do go wrong. The argument that they create an incentive for managers to be more cautious depends on some kind of consequence, which as you said to start, doesn't really exist in the software world. Without a legal or regulatory system to back them up, risk registers don't do anything (arguably they don't do much regardless, are just seen as negated paperwork, and are highly inaccurate or gamed).

The password rules you cite are already outdated. It's at least 12 and the combination of other ASCII characters has a negligable effect on the time taken to guess the string, compared to simply another digit in length. In other words, make it 13 and that's it. The advice is also different for automated strings and human-useable strings, e.g. your Windows product key or your Windows login.

But more importantly, that is the problem with hard-coding. One, it's no such thing as "hard", to change it attackers just have to aim for the firmware code or low-level language rather than just firmware access or the high level language. Two, it dates really rapidly. Very soon you will have a set of equipment which is out-of-date. So you have to update it, let's assume by a remote push update from the manufacturer (in this new IOT world with multibillions of devices). Congratulations! You have just created the access vector that your attackers from point One will use to compromise it. You have changed only the method of attack.

All of this stuff does require: more incentives to do things right; better understanding among "specialists"; a holistic approach. But the answers are not as simple as supposed security specialists like to claim, because a lot of them are frankly not very competent, and are simply regurgitating partially understood advice somebody told them on a course once.

Moreover, this is an open ecosystem. Changing that now would, quite literally, break the Internet and software ecosystem. Any solutions have to treat it as such, and quite probably make use of that characteristic. Simply telling big firms to do better will not work, because the core problems are beyond their control to fix.
 
#63
The US appears to be upping it attention to cyber-warfare.
DoD Announces Elevation of U.S. Cyber Command to a Unified Combatant Command > U.S. DEPARTMENT OF DEFENSE > News Release View

Raising the organizational status of U.S. Cyber Command an indication of the DoD's long-term commitment to cyberspace as a warfighting domain.

The changing nature of warfare is being addressed and this move is intended to strengthen their cyberspace operations by streamlining command and control of time-sensitive cyberspace operations by the consolidation under a single commander with authority appropriate to the importance of such operations.

Contractors Praise Elevation of Cyber to Combatant Command | DoD Buzz
 
#64
Interesting, in not a great way that Huawei a Chinese company deeply involved with computers has been declared by the Australian intelligence community as operating as an arm of the Chinese spy services. United Kingdom and United States Intelligence agencies have also issued similar warnings.

A report by a research unit of the US Office of the Director of National Intelligence in 2011 stated that Huawei Technologies relied on a series of formal and informal contacts with both the Chinese People’s Liberation Army and Ministry of State Security.

Founded to import Western office telephone systems to China, it has become a leading Chinese exporter of a huge variety of communications hardware equipment, including routers, cell towers and undersea cables. Recently Australia expressed concern about a plan by the Chinese company to provide high-speed Internet to the Solomon Islands, a small Pacific island nation who Australia shares Internet resources with.

Australia's concern is that by constructing the Solomon Islands undersea cable, Huawei could be tapping into Australia’s telecommunications infrastructure backbone, which presents a large security issue.
Investigation: undersea cable red-flagged by Australia's spy agencies dogged by donation allegations

A United States government agency declared a link between Huawei and the country’s intelligence services in a report by the US Open Source Center, which acts as the open-source intelligence (OSINT) arm of the Office of the Director of National Intelligence. Huawei had already been criticised for its links with Iran and the Afghan Taliban communications equipment.
 
#66
One section in the US that is seriously concerned.
"Cybersecurity remains a hot topic for the U.S. government and its commercial partners. U.S. Transportation Command is no different. The command is committed to advancing cyber-domain capabilities to ensure its ability to operate freely in an increasingly contested cyber domain."

United States Transportation Command
 

Latest Threads

Top