May 20, 2005
"Why", not "How", a Security Specialist Fell Victim to Attack
Darren Miller writes in CircleID a couple weeks ago about his recent experiences with a certain insecure operating system, suggesting that the answer to insecure systems is to wall them off, building ever more complex systems of analysis and defense against "potentially harmful URL's", especially when you can't explain why viewing an email and "clicking a URL" would cause a DoS against your TCP stack.
The article, unfortunately, doesn't explain "how" he was attacked, and is light on details such as OS, mail client, mode of attack, motive of the attacker, the cause of the local DoS, and so forth. What it focuses on, instead, is essentially the "why" of the attack, but it does so in an unsatisfying way. In other words, the whole article is about how Mr. Miller continues to run an (obviously) insecure OS despite the failure of all their defenses against the "attack", after adding yet another line of defense.
How many more security failures must occur before Mr. Miller (and the rest of those running fundamentally insecure operating environments) reviews his fundamental assumptions: that while it may not be possible to run a 100% secure operating system, or provide a 100% reliable security architecture to defend your insecure OS against attack, it makes sense to continue to rely on said woefully insecure OS and applications. He himself admits that he still doesn't know why his OS was so easily DoS'ed, how, or for that matter, what the weakness was in the "harmful URL" (as if the URL itself could be harmful).
By glossing over the weaknesses in the OS and application(s), and blaming the URL (even if he knows better), he's falling victim, whether intentionally or not, to the same mindset that leads to massive wastes of time and energy like the recent Sober.Q outbreak. "OS insecure? Have a newer antivirus program, tighter firewall policy, more lines of defense against attack." Instead of replacing the underlying weakness, build walls around some imagined perimeter. And then write articles complaining that the Huns and Vandals just won't stop trying to get at the comically weak core behind those same walls.
A thorough review of the system did not reveal anything out of the ordinary. Yet, the machine was barely operating.
I think this is perhaps the most telling quote of all.
Posted by schampeo at May 20, 2005 9:25 AM