Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Merry Festivus: Commence the "Airing of Infosec Grievaces" - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Merry Festivus: Commence the "Airing of Infosec Grievaces"

In honor of today's holiday, Festivus (for those familiar with Seinfeld)... what is on your list of infosec grievances for 2009?  What's the "wins" for the year?  Use the comment feature on these entry, will update with a Top 10 list assuming we get enough responses.

--
John Bambenek
bambenek at gmail /dot/ com

John

248 Posts
ISC Handler
Adobe, for the vulnerability of every week.
Anonymous
It would be a festivus miracle if fake antivirus malware would disappear from the web.
Anonymous
"It would be a festivus miracle if fake antivirus malware would disappear from the web."

That would be quite a feat.

blog.fireeye.com/research/2009/04/botnetweb.html
blog.fireeye.com/research/2009/04/botnetweb-part-ii.html

I vote for javascript or flash.
Anonymous
Another vote for Fake Antivirus being probably the most annoying. I see 3-4 alerts a week of this being blocked by our HIPS... a few sneak through that need to be cleaned here and there.
Shawn

29 Posts
Down here in the trenches, still fighting with minimal budget, resources or even casual management interest. What worse is that my employer is a security services provider! The only thing Mgmt care about is sales -- so please, help me out -- question your vendors as aggressively as you can. Ask them to prove their claims. Ask them everything you can think of. Read the answers thinking "What are these people lying to me about?"
Shawn
4 Posts
...vendor snakeoil (as Grunt said). Sat through a VOIP pitch via a network that's "private and secure" - and every person in the room assumed the definitions to be of merit. When I asked, though, the salepig could not define either of those terms - and after much legwork, "private" turned out to be "the same that everyone else uses, but we own parts of it". As for "secure"? After a call to their top tech people I got them to assure us that the encryption is at least as strong as ROT13, but more likely equiv to the upgraded version of ROT26. Authentication was a simple MAC filter. Major carrier, btw. :)
Steven

42 Posts
Javascript in PDF docs: PDFs should = static ...
Scareware/fraudware/rogue security apps ... Minimal budget ... Lack of interest by management toward infosec risk management, and thus always first dept to receive budget cuts
GregF

1 Posts
Merchants who want to force activation of
Verified by Visa or MasterCard SecureCode to
complete a purchase. Every December, we get a ton
of Helpdesk calls from users who can't tell
whether it's phishing. Because, well, there isn't
any good way to tell, is there?
Anonymous
1. Technical Project Managers that aren't.
"Sharepoint is secure because MS said so, teehee!"
2. CISSP's that don't even know how to port scan but proudly declare themselves security professionals.
Anonymous
IPS/IDS Vendors that do not provide the string or hex match description for there signatures.
Anonymous
The government's idea that "more regulation = more security". Someone please tell me how we're supposed to apply multiple standards to meet multiple laws/regulations - all we're really doing is chasing compliance, not implementing security.
Lee

21 Posts
Double Post :)
Lee
9 Posts
I'd have to agree with the Adobe PDF vulnerabilities as well - our environment has version 4.0+ with no one to fix this by removing the old versions and update to the new one via SCCM.

WebDav/IIS vulnerabilities, a few of those came out and in our environment all of our developers run IIS..Why? I can’t tell you.

Conficker (duh)

UDP over port 80...that was interesting to see in our environment.

But my all time favorite is 'let’s give everyone admin rights to desktops'....something in our environment that is so bad about.


Anonymous
Sr Management responsible for infosec that doesn't have a clue...ditto for internal auditors
Anonymous
Javascript
Adobe Security eg. lack thereof
Javascript
PHP
Javascript
SQL
Javascript
HTML in email
Javascript
People let online w/o a "Internet Drivers License"
Javascript
Parents that do not monitor their kids online
Did I mention Javascript?
Anonymous
IT Managers who insist upon standards and policy only to ignore the same when it inconveniences them.

IT Staff who believe policy doesn't apply to them because they have elevated rights for a reason, correct?

HR Management that refuses to address IT Policy violations because they don't understand the issue, it creates more work for them, and their own staff who are some of the biggest violators.

Ok, in short, policies and standards that are all bark, no bite.
Alan

57 Posts
Clusers (LAN+user= luser; clueless+luser= cluser)
Symantec
IE
Adobe
Hacktive X
IE
Alan
1 Posts
Grievances:
%4A%61%76%61%53%63%72%69%70%74
PDF exploits
Conficker
Fake AV
Facebook/Google "privacy"
China/Russia. Yes, both of you.

Wins:
Lots of security work
Gov't focus on cyber security
There has to be more, right? It escapes me now...
Alan
6 Posts
How about, "I upgraded my Flash, but the old Flash files are still there"?
Alan
1 Posts
my top 3 infosec grievances for 2009....

1. the notion that (PCI) compliant == secure
2. 'uninformed' developers. how anyone believes it still 'ok' not to validate ALL input is beyond me
3. another year passes and we still have to explain why patching is a good thing

Alan
1 Posts

Sign Up for Free or Log In to start participating in the conversation!