The Evolution of security - Security & Cryptography

Users browsing this thread: 5 Guest(s)
venam
Administrators
Hello *nixer,
I am going to post something that I posted on HF before and on my blog (which is more or less dead but has 12k views daily).
[Image: NIQow]
I did not have any mature reply on HF (as expected) and nobody looked at my blog.
I would like to have your opinion.

Moreover, this is a subject that's interesting because it concerns philosophy and technology at the same time.

Extract:
Quote:Hello Dear blog followers,
I have been watching a lot of video conferences about security lately and I have been wondering what will happen in the next years.

Little help with reference and info :
Abyss of Cybersecurity-John Bumgarner
Testing enterprise systems advance data ex filtration techniques - Albert School
Business Ramifications of the internet's Unclean Conflicts - Rockie Brockway
All available on irongeek.com

Do you think security is like an organism and will adapt itself to threats? I mean, instead of some surface defense like IDS, firewall, ID protection, AVs, etc. Everyone can see that those methods are not real future solutions, they are only patches.

Moreover, do you think that security should move into irreplaceable data protection instead of replaceable data protection? irreplaceables, meaning things that you could not redo another time or that will never be the same, never taken back. Namely, IP, personal infos, codes, research,etc. Replaceables, are things that could be replaced, like credit cards, accounts, websites, etc..

Furthermore, will developers & engineer design technologies with the notion of security in mind or will it always be the work of someone else and they should link the bridge between them. This is important because no hardware of any kind can be secure if they are not made this way. Tons of stories comes out about pieces of hardware like microwave or bread-machine (as seen in the conference) or even extremely sophisticated and costly hardware machine that can be hacked so easily.
Can we imagine a future where everything is controlled by technology but none is made in a secure way.
Some would say "Even imperfection itself may have its ideal or perfect state"


Another issue is the data itself, nowadays it's harder and harder to keep an information secret, or at least keep it for a long period of time. Thus, Passwords could not be considerate means of proving one-self anymore. They are just words or characters that can be cracked or that has a pattern. We might also think of RSA key instead of passwords.
We can also add the fact that people are not really aware of how easy it is to crack/brute their password.
What will be the way of proving that an account belongs to someone in the future?

What do you think readers, will the world really change that much in the next 3-5 years?

I'd like to add that this is purely guessing or trying to suppose for a near future.

See ya!
venam
Administrators
No-comments to your comment (LOL infinity loop!). It was suppose to provoke some reactions.
Thanks for replying.
Dritz
Long time nixers
I think that there shouldn't be a permanent security protocol or technology. Or rather, can't be. At least not one implemented on a mass scale.

Perhaps in the future we will have super-duper advanced 'learning' security systems that could lengthen the time period between updating, or creating completely new security systems.

According to my knowledge, many contemporary anti-virus softwares already have this type of paradigm implemented. It's, as always, just a matter of refactoring.

On the topic of the increasing number of new digital devices to be created in the future becoming interlinked:

All I can say is that it's going to be interesting. Many companies are already using existing technologies like Wifi and Bluetooth to link digital devices together. And if not through conventional means, they tend to make that 'extra connector accessory thingy' irrexchangable and exclusive to their closed-source designs.

(My parents just bought a new 'Smart' television. When I opened the darn thing I couldn't even figure out where the internal memory unit was located. Heck, everything but the physical ports and the wires looked like Greek to me. Talk about exclusive, irrexchangable closed-source hardware!)

As for hack-ability, I think that as everything gets simpler and more automated, the true hacker will be much more of a rare bird. When things 'just work', people don't have to think about how they work. I won't go as far to list the pros and cons of this development, but one can reasonably predict the repercussions.

More easy/closed-source exclusive library based programming languages being used(ex. the ".Net" languages) + Moore's Law(hardware getting more awesome) = Less low/er level programming languages needed to be used
^ Which is lazy as hell, and yet they still insist on this RAD process...

Less low/er level programming languages needed to be used = Less lower level language programmers

Less lower level language programmers = More less-educated programmers

More less-educated programmers = Less hackers

Less hackers = Less incidents of proprietary technology being teabagged/hacked

And that just, well, sucks. :(

As for the rest of your post:

It's 1:14 in the morning, and I'm too darn tired to type anymore. Sorry. :(

Mah eyes! Dey brun!!! It's all your fault.... :sniff: :sniff:
"Willful ignorance is a crime"
venam
Administrators
Thank you Dritz for your reply.
I also think that there's less real hackers because of the same reasons you mentioned.
However, concerning security there will always be breaches and people trying to get into things that do not belong to them.
These past year anti-viruses and IS are inefficient and not to mention all the 0-days that come out everyday.
Like the old wizard once said:
Extract from 1996, which is extremely true and will be until a major change.
Quote:New viruses come out at the rate of about 8 per day now. NO scanner can
keep up with them all, but the four mentioned here do the best job of
keeping current. Any _good_ scanner will detect the majority of common
viruses. No virus scanner will detect all viruses.
...
Most virus scanners will not protect you against many kinds of trojans,
any sort of logic bombs, or worms. Theoretically, they _could_ protect
you against logic bombs and/or worms, by addition of scanning strings;
however, this is rarely done.

The best, actually only way, to protect yourself is to know what you
have on your system and make sure what you have there is authorized by
you. Make frequent backups of all important files. Keep your DOS
system files write protected. Write protect all disks that you do not
need to write to. If you do get a virus, don't panic. Call the support
department of the company who supplies your anti-virus product if you
aren't sure of what you are doing. If the company you got your
anti-virus software from does not have a good technical support
department, change companies.

The best way to make sure viruses are not spread is not to spread them.
Some people do this intentionally. We discourage this. Viruses aren't
cool.

This is really interesting!
D9u
Long time nixers
You always have to prepare for the worst case scenario so proactive measures are my preference.

* Redundantly mirrored backups performed often.
* Public Key Encryption of all sensitive data.
* Regular software updates.
* Etc.

Security cannot remain static, it must evolve with every addition to every system.
The alternative is the loss of online anonymity.
BSD is what you get when a bunch of Unix hackers sit down to try to port a Unix system to the PC.
Linux is what you get when a bunch of PC hackers sit down and try to write a Unix system for the PC.
venam
Administrators
Glad that the **sec** guy reply to my thread!

The 3 things you mentioned are the best way to keep data safe. But, there's also ton of alternatives to it.
Backup your important data and it will save you a lot of time.
CrossFold
Long time nixers
TBH, security is always dependent on the user later the programmer.. Like take for example Microsoft... It just tries to improve the looks and ease of use of a program for the user and so doesn't usually take into consideration the security factors. One more thing is, I remember seeing a graph about "Security to ease of use".. If you want something very secure, you have to know that you wont be getting the same ease while using that specific thing (a UNIX system probably), and if you want something easy to use, you wont get Secure applications/OS programmed (Windows). Now usually what people would do is just stay at the center of the graph.. Security + Ease of use.. So, there's reduced security which results into breaches. And truth is, laziness is the only thing that makes programmers code with both the things(Sec and Ease) rather that one..
Programmers are after all humans, and till the day humans are lazy, security will be overlooked and only ease of use will be taken into consideration...

Btw, there are paranoids like us who least bother how easy something is to use...
Its kinda late here and am quite sleepy so probably I might have messed up while typing..
venam
Administrators
It's 2015 and I'm bumping my thread.
Security is still a mess and even more than before with the "Internet Of Things".
http://blog.kaspersky.com/internet-of-crappy-things/
Before writing that post there was no NSA breach, no nothing. Here we are 2015 wondering about what is going to happen next.
z3bra
Grey Hair Nixers
Thanks for bumping this thread! Now that 3 years have passed, a few things have changed. People are way more concerned by privacy/security due to Snowden's declaration. And it's a huge step forward into security.

There are more and more auto-encrypted services, meant for the lambda end-user, like telegram, tor, alpine mails, tox, ... Encryption have never been so easy to use, you don't even need to know what PGP, RSA or AES is to have your messages encrypted, and feel secure.
More and more services are now using the two-factor authentification too, which is way harder to break then the single old login/password auth system.

But based on a few articles I've read recently, i think the biggest problem is not to secure ourselves. The problem lies in the fact that all your data is exposed to the world, and social engineering makes it fairly easy to break. The days where hackers used to brute force passwords or keys is now gone, and any encrypted data can now be considered "safe" (as long as you're not giving your private keys everywhere...). But as long as there will be data available online, there will always be people to hack their way to it, using social engineering, or lying to your service providers to request a new access. Your personnal/sensitive data should remain personnal or encrypted, and in this case, your private keys should not be available anywhere online.

tl;dr if you don't want to see your data stolen, do not expose it. And never trust anyone, not even you.

Edit: a few links
http://www.thoughtcrime.org/blog/gpg-and-me/
http://swiftonsecurity.tumblr.com/post/9...ut-jessica
http://www.theverge.com/a/anatomy-of-a-hack
https://dirk.to/blog/2015/03/05/internet...urity.html
Great thread!
venam
Administrators
Bumping with a very recent conference video by the author of the SET (Social Engineering Toolkit), Dave Kennedy:
Abstract:
Quote:It seems that businesses are truly struggling with how to handle the threats we face as organizations when it comes to information security. From breach to breach, the techniques seem similar yet they completely rip through everything we’ve tried to protect against. As an industry, we’re fighting to define ourselves in a manner where we can actively combat the different demographics we see from attackers. This presentation will walk through what we face as organizations, both politically as well as an industry. Information security isn’t a technology problem – it’s a social issue. Until we recognize that, we will continue to see the continued breaches year after year as we continue to battle (and lose) the same types of attacks. There’s a lot of talk inside the industry on technical controls, products, adversarial simulation, and more for strengthening our defenses. These couldn’t be further away from what we really need to combat these types of attacks. This talk will also be demonstrating effective measures to combat some of the main techniques attackers use in order to attack an organization.
link to video https://youtu.be/-XJiG2hA6zk
venam
Administrators
My prediction was right. With the advancement of AI we're going to see that "self-morphing" intrusion-detection/antivirus happening soon.
Just take a look at what DARPA is working on Cyber Grand Challenge.

I'm also preparing a very long post about this topic.
xero
Long time nixers
(16-03-2016, 04:14 AM)venam Wrote: My prediction was right. With the advancement of AI we're going to see that "self-morphing" intrusion-detection/antivirus happening soon.
Just take a look at what DARPA is working on Cyber Grand Challenge.

I'm also preparing a very long post about this topic.
i was just reading about CGC, very interesting stuff.
dtnt
Members
Quote:My prediction was right. With the advancement of AI we're going to see that "self-morphing" intrusion-detection/antivirus happening soon.
We will, and security will still be shit. Thanks humans.