1 / 12

Security Realities & Risks: Insights from Recent Stories

Explore the disconnect between lip-service to security and actual practices in the software industry, including vulnerabilities like Firewire access, hidden processors, and Apple's patching issues. Uncover the importance of understanding and prioritizing real security measures in today's tech landscape.

hmccarty
Download Presentation

Security Realities & Risks: Insights from Recent Stories

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Prolog to Lecture 2CS 236On-Line MS ProgramNetworks and Systems Security Peter Reiher

  2. What’s This Prolog Stuff? • When I can, I will add a short presentation to each lecture • Discussing application of material from the previous or recent lectures • Generally stuff that’s pretty timely

  3. Do We Really Care About Security? • Security gets a lot of lip-service • But is the community out there really behind it? • Particularly the industrial community that builds our software? • Three recent stories suggest maybe not

  4. 1. Fun With Firewire • Many computers have firewire interfaces • Especially laptops • These interfaces allow direct access to memory • No access control • No nuthin’

  5. What’s That Mean? • Anyone who hooks up a firewire device to your laptop doesn’t need to log in • He can just read and alter the memory • Proof-of-concept tool1 allows you to own Windows machine in seconds • 1http://www.darkreading.com/document.asp?doc_id=147713&f_src=drweekly

  6. What’s the Response? • “Well, duh, that’s what Firewire is supposed to do” • In other words, we designed your computer to let anyone take it over • If they have physical access • All this login stuff is just window dressing to impress the rubes

  7. 2. Backdoor Processors • Many devices come with complete processors “hidden” inside • Printers, routers, storage devices, etc. • They’re installed with complete OSes • Which are often very badly configured • Allowing anyone access

  8. The Implications • If attacker knows about these, • And you don’t, • He’s got a hidden backdoor into your system • Often these processors have network capabilities • And can access the CPU you already knew you had

  9. What’s That Mean? • The people who put these processors in neither knew nor cared about security • System management (the purpose of them) was more important • They didn’t care enough to even mention they were there

  10. 3. Apple Patching • Everyone knows Macs are “more secure” than Windows machines • Well, they’re not • Recent study1 shows Apple: • Has more vulnerabilities • Takes longer to patch them • Suffers more attacks on unpatched flaws 1http://www.techzoom.net/papers/blackhat_0day_patch_2008.pdf

  11. What’s That Mean? • Apple wasn’t entirely honest about really caring about security • They aren’t spending the money to patch flaws • And they have plenty to patch • They’re talking the talk, not walking the walk

  12. The General Lesson • Just because people say they care about security doesn’t mean they do • Many decisions seem to be made without even considering security implications

More Related