Why Security Is Useless.

Publicated on : 1189909802
Someone told me once: Security is only there to keep the good guys good.

And that is exactly what is going on. No skilled hacker can be thwarted, they can only be mitigated to some extend. It is also the reason why I only focus on research these days and only a small portion of my time on actual security. Security can mitigate most hackers, that is, hackers that are skilled but in a moderate degree. It is impossible to keep out the die hard hackers, but there aren't many of them and those hackers are not really interested in a small web-store. So what are the risks? how can we mitigate all hackers? or should we even continue to keep the moderate hackers out? isn't it all basically useless to even pursuit a secure system? It is hard to answer these basic questions that drives us daily.

On the one hand security is an utopia, a perpetual motion device that only is perfect in theory but fails on many assets in practice. Anyone long enough in security knows that theory and practice are very different worlds to think in. They are platonic, security in theory only exist in abstraction of the real practical application of it. In other words, it is the folly of the fool who persists in absolute security. We can't reach it, and a benchmark of our inadequateness must be the buffer overflow which exists over 20 years now. We have come close to secure software from buffer overflows, but it is hardly perfect. 20 years is a long time, in that time we have failed to secure software from it, hence that's why new techniques were developed by hackers to use Javascript in order to trigger buffer overflows in browsers, because Javascript has access and is able to control the systems memory. While that can be hard to pull of successfully, newer techniques are developed to control the memory allocation even better. So attacks only get better, never worse.

Browser hacking is still an area that is somewhat new. It is the place where we could could gain access to a users system and possible take it over. But this requires skill, a good deal of skill. This isn't something you pull off if you only read two books. That is good, but the alternative is way harder to protect users from. Phishing is something that doesn't require a ton of skills. Anyone can buy a phishing kit, or create his own. With it, you perform an electronic social engineering scheme. And we all know that it is near impossible to protect users from since they have to be educated. or as I like to say: You cannot con a conman, only someone who cannot think like a conman can be conned. I have seen the wildest ideas to protect users against phishing and they all fail. The only way to protect users is to educate them or let them experience a real life con. Then they learn, but it's too late.

Lately I watched different sites and blogs who talk about content restriction and the likes. And had discussions about Firefox plugins like NoScript. While there are some fine plugins, they fail to educate the user. I personally know no-one outside the security business who has installed NoScript, for the reason that users do not know the risks. But even then, it won't protect you from browser based buffer overflows performed in PHP or JAVA. And it doesn't protect you from deviating from your common sense. I never use NoScript for the reason that I know that it won't help me. Last week the option of disabling iframes has been added in the NoScript plugin. Personally I think it is totally useless since there are plenty other ways to trick code execution or do some other malicious stuff. It is way too hard to protect users without becoming a "Mao filter".

If you really want to be safe you really need to switch to the Lynx browser, or disable this:

- Java, Javascript, Flash, Active-X, VBScript, LiveConnect
- Iframes, frames, images, stylesheets, forms
- reconfigure your whole browser
- remove a dozen browser plugins
- and remove tons of vulnerable software on your PC.
- going back to plain-text email (I have)

Then you are probably a bit safer, but you know what that looks like? yes WEB-0.1 beta. So are we going back to plain-text then? Well, no it only gets worse. The browser is becoming a desktop on it's own. More features, less secure thinking. Do you know what HTML 5.0 and XHTML2.0 has in store for us? You don't even want to know. When you read through the HTML5.0 and XHTML2.0 drafts you'll probably get shivers also, not for the faint of heart material! The browser will become the new desktop, everything will be Javascript, Windows Silverlight, Adobe Spry and other scripting libs.

The internet will be more interwoven with our PC's and there is nothing that can protect us. It all goes right through our firewalls and is directly streamed into our PC without our consent or knowledge. We give away our PC and we will be herded into the millions by future bots, that are forming ever greater armies. The browser has become the next desktop carrying a rootkit called Javascript. As for browser security and the immensely adoption of more and more Javascript and dynamic browser applications, it will break the web and makes it literally impossible to protect users from. There is really no hardened road back.

Last week I read a study by Computer Security Institute (CSI) which have done research in security to determine the biggest security threat. The outcome was that people are the biggest security risk in a company. CSI said that virus infections has been decreasing since 2001 from 90% to 52% this year. While that maybe a decreasing trend, people still install malicious software, download backdoored media content from torrent sites, and still click on e-cards that contain a trojan. The Storm worm is the best example, it has infected over 10 million computers, and some even estimate that number is low. It is one of the biggest botnets in history and is capable of so much mayhem and possibly powerful enough to put a small country out of business with the flip of a switch. The biggest risk to me is still social engineering whether it be a prank call or a phishing scheme, and no amount of security can protect you against it. Phishing schemes will rise and will the number of infected computers with new trojans, that could target your website and there is nothing you can do about it. New unforeseen attacks could be waiting right around the corner and make use of the newest browser bug through Javascript.

The reason why security is just useless is that you cannot protect yourself from it. There will always be another angle that is forgotten or is so plain obvious that you do not think about it as a risk. Should we continue to protect users? users that do not understand it and will continue clicking on the next e-card they get? I personally think we can never educate them enough. Right now 10 to 80 million computers are zombies in world wide botnets, waiting to be aligned for the next cyber attack. Security is useless because surfers rely on software to protect them and we know that software can never protect us. It is always behind the facts, security is only useful to keep the good guys good. But wait a minute, if the good guys are good why should they ever attempt to breach security? security can throw up barriers but in no means will it protect against a security breach. Anything can be hacked, and I mean anything on the net. Whether it is your PC or a pentagon server.

Take CAPTCHAS for instance. They are designed to protect against automated submissions. Well, any one of them is basically broken with the right software. It only takes a small amount of time to break every CAPTCHA. And when they cannot break it, they just hire a bunch of people who sit in a racket breaking them by hand for 0.05$ cents. Look what CAPTCHAS are intended to stop: "Automated submission" well who would submit registration forms automatically? not the average Joe. No, hackers. And they will outsmart the CAPTCHAS every time. That's why CAPTCHAS are useless, CAPTCHAS fail, and security in theory works the same way as the CAPTCHA. We try to protect against hackers, but they outsmart our systems. And if they fail to obtain a database password due to rigorous security, they just call the company and social engineer their way into the database.

So relax, because security has become useless, no matter where you look or stand.