[ISN] AusCERT: Entrusting end-users with security an outdated '70s idea, says author

From: InfoSec News (alerts@private)
Date: Mon May 21 2007 - 22:36:08 PDT


http://www.computerworld.com.au/index.php/id;326875587;fp;16;fpid;2

By Sandra Rossi 
21/05/2007

Ivan Krstic, co-author of the bestselling The Official Ubuntu Book, 
delivered a scathing keynote at AusCERT 2007 today claiming the tech 
industry has failed to address securing IT and that far too much still 
rests in the hands of un-informed end-users.

Delivering the opening address at Australia's premier IT security 
conference, Krstic said immediate action is required.

"We can fix it now or face another 10 years of empty vendor promises and 
lousy security products," he said.

"We need to work less on sexy problems and focus on the hard ones that 
need to be solved."

Today's problems cannot be fixed, according to Krstic, with a 1970s 
security model.

"Everything you know about desktop security is wrong. Desktop security 
is about the user not protocols and algorithms," he said, adding that 75 
percent of machines are infected with malware.

"Today, there is more than 100,000 known viruses, not to mention spam 
and phishing and that is because we rely on users to make choices about 
things they don't understand."

To reinforce his point, Krstic showed how a user interprets a pop-up 
dialogue box that appears on their screen.

To a user it simply says: "Blah blah, technical terms, I don't 
understand, blah blah."

Then it will ask the user to press 'yes', 'allow' or 'permit'.

"Of course they will click on 'yes', 'allow' or 'permit' because it 
rewards them by letting them get back to work. We are training users to 
ignore security and rewarding them for it," Krstic explained.

"By leaving decisions to uninformed users it means IT security is an 
unbelievable mess and disaster. How did we get here?"

Krstic said the assumption that every program runs with the permission 
of the user is a 35 year-old concept.

He said 35 years is equivalent to centuries in IT, adding that "we 
wouldn't go to war with sticks and stones."

"We run untrusted code every time we open a Web page. It is bizarre," he 
added.

Krstic went on to criticize the methods used to address these problems.

"Maintaining blacklists is one of the dumbest ideas in computer 
security; what's the point in keeping an up-to-date list of all the bad 
things, simply cataloguing badness. That's a losing battle we cannot 
win," he said.

More than 1100 delegates are in attendance at AusCERT 2007 which is 
being held on the Gold Coast from May 21-25.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon May 21 2007 - 22:50:07 PDT