Security

General discussion

Locked

The Six Dumbest Ideas in Computer Security

By jdclyde ·
This came in a security newsletter I recieve. I read it and some of the ideas I thought were pretty obvious to me, yet some others made me have to think about them for a while as they are counter the conventional "wisdome" about computer security.

"Marcus Ranum released any interesting editorial entitled "The Six Dumbest Ideas in Computer Security." He gives his views on common security misconceptions that seem to be perpetuated throughout corporate IT environments. You can read this and other editorials at:
http://www.ranum.com/security/computer_security/editorials/dumb/"

After reading this, what is your take? Are we just chasing our tails so vendors can continue to make a profit?

Is this approach something that you use, or could use?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Paranoia Club

by apotheon In reply to yup, me too

Where do I sign up?

Do I have to use a valid email address?

Collapse -

In this club

by jdclyde In reply to Paranoia Club

we already have all of your personal information, thank you very much.

I just can't believe you wear THAT to bed each nigh! :)

Collapse -

The club

by jdclyde In reply to Paranoia Club

We already have all of that information, so you don't need to do anything but watch out your window.

I can't believe you wore THAT to work today.....

Collapse -

What, the shirt?

by apotheon In reply to Paranoia Club

Hey, I like the camel obfu!

Collapse -

MIME scanning possible?

by tntjenkins In reply to blocking exe not a great ...

I thought you could scan a MIME type to determine file type and weed out even renamed files (ie .mpg changed to .txt? Our UNI does it to our linux home file space and the script deletes all unacceptable files no matter the extention, if the MIME type is wrong its gone!

Collapse -

RE: Mime scanning possible?

by azrider In reply to MIME scanning possible?

In the *nix world, the usual method is to look at the first 2 bytes of the file. Each *known* file (as listed in the /etc/magic file) has a specific signature, no matter what the name. This is why you can name an executable DontYouDareExec.This and it will still run if flagged executable in the directory (or called by a shell). For scripts in *nix, a #! on the first line says "execute me using the shell specified". In the MS world, any file ending in .exe, .bat, .cmd, .vbs... will execute, since there is no concept of read/write/execute in it's shell. Therefore, (after taking the long way around), your answer is yes. You can scan the beginning of the file to look for a signature. For more information, search for "unix magic file" or "unix file command" using your favorite search engine. For .vbs or .bat files, however, all bets are off.

Collapse -

A jar of files

by danag42 In reply to Recieving exe files

For a while there, executables were sent with the extension .jar rather than .exe. So if you were expecting a program from someone, you could rename it and use it. If not, you just deleted all the .exe files that were unknown.

I refuse to run executables unless I specifically asked for them. Otherwise, you're in trouble.

Collapse -

An old Idea

by jobothetechnopeasant In reply to Recieving exe files

Why not lockdown the hardrives of servers so that only the baseline inventoried programs can execute? Look, we know malware is going to get thru so why not just prevent if from running when it does?
Building moats and perimeter defences didnt always work in the middle ages either.
Educating users? Not realistic or cost effective in our environement.
Make vendors write bug-free code? - Hello! this has been a problem since forever and simply isnt going to happen. Why? because its impossible to do for any non-trivial program.

Enumerating the goodness and preventing anything else from executing is the best approach I've heard of.

Collapse -

Best idea I've heard

by YZFDude1 In reply to An old Idea

one software package.

Securewave, sure it's expensive, but it can lock down what can and can not run at the kernel level so go ahead double click on that exe it won't run unless it's on the white list.

Not to mention you can lock down the usb ports so that printers work but usb keys do not. You can lock the floppy and the cdrom. Think about it, if there is no way a virus can execute it's code then you don't even need a virus checker.

Collapse -

WHY are exe's a problem?

by CIO at Alphabetas In reply to Recieving exe files

I mean, the Mac just looks at them and isn't affected at all. In fact,
OSX asks if you really want to download it anyway.
Why the big hoohah about exe? It's not as if you use windows or
some other archaic OS that passes system calls straight through to
the kernel, right?

:&gt
<ducks>

Related Discussions

Related Forums