Ah, the nice open Internet. Sunny days, eh?
Not so fast. A big theme at the RSA 2015 Conference in San Francisco last week was protection by reputation. Malware sources, known hacking domain intelligence. Evil spammers with botnet payloads. Protect yourself!
If we're to believe these organizations, civilians don't have a chance in the first place. I might agree. Consider today's batch of messages to my accounts. I'll spare you the Who's Who nomination and items in Kanji that I can't read.
- There were 14 malware payloads, in the form of attached zip files; most of them were ostensible voicemail messages.
- Seventeen messages were links to bad places that tried to slip my test machine browser a bunch of code, blocked by the script halter in the browser, noscript.
- One message came from an old friend, whose name frequently appears, along with the rest of her friends…a stolen contact list.
- One of the messages had a .doc file with a macro virus.
- One of the messages had a .xls file attached.
- Two files had html links.
Several messages were sent to xerox1.station at ExtremeLabs.com. Heaven knows what that was. One message was for ExtremeLabs.net, which I am not, so I forwarded it. This happens frequently on Twitter, too. No, we don't sell fabulous body building foods.
In all, numerous attempts at mayhem crossed my email inbox. In fairness, the domain and my address have been on the internet for a couple of decades, and so I'm on plenty of databases used for money-making opportunities—as spam.
The reputation-based organizations want to posit that they share intelligence. Updated frequent lists of bad IPs, horrible domains, bad DNS servers—the naughty kind that do re-directs to mayhem, perhaps to the depth of hell itself.
The threats are real. I'm reminded of the aphorism that states that nothing is foolproof, because fools are so ingenious. The campaign of BYOD for many has been the campaign of Bring Your Own Malware. Do these apps actually stanch user behavior in a way that's both unobtrusive, yet partitions them from bad ends?
I'm of the belief that there are no secure boundaries, and that each device needs to be secure by itself. This philosophy bends me towards wanting to accept the philosophy behind Network Access Control/NAC devices. These admission systems were initially promoted more than half a decade ago. They would query each device before admittance, make sure its AV and policy controls were up to date, then give an IPSec-based network encryption key that would unlock resources, much like how Kerberos works, in a way. All traffic on a network would be encrypted by IPSec in this way, so simple protocol scanners wouldn't work. Except that devices that were already on the network would have the keys anyway.
Back to the bastion host concept.
All of these are starts, none of them completely foolproof. The United States spends billions of dollars on military hardware and armed forces, yet our networks are under constant attack, and while some of the traffic is of internal U.S. origin, much is not. Why can't these funds be turned towards a security methodology that makes computing safe for everyone?