[dba-SQLServer] Fwd: Windows Secrets: The Sorry Tale of the (un)Secure Sockets Layer

Hans-Christian Andersen ha at phulse.com
Mon Sep 19 10:36:19 CDT 2011


Hi Mark,

You are correct in the sense that it is not feasible to have perfect
security. However, I take issue with how financial systems quietly write off
loses, even if, to them, it's just a fraction of their profits. Their
analysis of cost/benefit often leaves out the true cost. You have to ask
yourself: wheres does the money go, who benefits from it and how do they
benefit from it. In much the same way that the true cost of
industrialization to the environment was not known or was ignored, money
stolen from bank accounts and so forth typically go to criminal
organizations and whatnot, which then leads to problems in the world that
often leads to taxes and other social resources being wasted. A little bit
more effort would go a long way and it is very hard to calculate the true
cost of not fixing things; especially when the solution already exists.

Hans-Christian




On 19 September 2011 03:24, Mark Breen <marklbreen at gmail.com> wrote:

> Hello All,
>
> there was a very interesting article recently, I cannot recall if it was in
> MSDN magazine, Code magazine or HBR magazine.
>
> Basically they did some financial analysis on the cost in the US of
> implementing security, vs the cost of a loss.
>
> What was not surprising to (to me anyway) was that the cost of implementing
> security (at a macro level) is higher than the potential loss.
>
> I adhere to this philosophy.  In my house I lock my doors at night, but a
> robber can still get in if he really want to.  To make my house totally
> secure would be to make it impractical and unpleasant to live in.  So I
> balance security with practicalities.
>
> With my IT security I try to adopt the same approach.  My brother is an IT
> security professional, and he sometimes disagrees with me, but sometimes he
> also acknowledges what I suggest.
>
> Thanks
> Mark
>
>
>
>
> On 19 September 2011 10:19, Hans-Christian Andersen <ha at phulse.com> wrote:
>
> > Regarding locking down the hosts file on Windows, if I'm not mistaken, by
> > default it should already be set to read-only and require admin
> privileges.
> > But, even if you set it to read-only, if you have mistakenly given a
> > malicious attacker admin privileges (or they have found some other hole
> in
> > which to escalate their privileges), wouldn't it be rather trivial for
> them
> > to add code to remove the read-only lock from the file? In fact, since
> this
> > is the default in Windows, I would imagine attackers probably already
> > factoring RO into their code.
> >
> > Francisco has the right idea in the sense that a very safe environment
> > would
> > be to have a virtual machine set up to boot a live CD of your favorite
> > flavour of Linux (or Windows, if possible?) from a virtual drive in your
> > VM,
> > so that the environment is completely clean and that you know that
> anything
> > you have done within that instance of the VM is discarded when you shut
> it
> > down. In fact, if you are really paranoid, don't run it through a VM but
> > from the bare metal of a machine. Then, before surfing, install NoScript
> > and
> > run a full update of Firefox. It takes a little while to get the
> > environment
> > prepared, but it might be all worth it if you are doing online banking.
> > It's
> > what I do.
> >
> > But, regarding this specific issue with Komodo, DigiNotar (and more, it
> > appears), it's probably worth looking into managing what certificates you
> > have within your trusted root store and consider removing ones that you
> > don't feel comfortable having your computer trust implicitly. (
> > http://technet.microsoft.com/en-us/library/cc754841.aspx ) There are far
> > too
> > many in there, which kind of wrecks havoc with the whole chain of trust,
> in
> > my opinion.
> >
> >
> >
> > Hans-Christian
> >
> >
> _______________________________________________
> dba-SQLServer mailing list
> dba-SQLServer at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> http://www.databaseadvisors.com
>
>



More information about the dba-SQLServer mailing list