This week we've invited Peter Kuper to comment. If you've ever met Peter, you won't be surprised that the topic of this week's post is the crisis amongst innovators. Thanks, Peter!

By Peter Kuper

Google made it entirely impossible for anyone to deny the harsh reality: We are pwned. The call for better security solutions has never been greater – it is headline news not in some geek blog, but the New York Times. We’re finally getting the attention the problem deserves! Any day now we should be seeing money raining down all over security as the brains would be getting endless calls from investors worldwide, the big tech providers creating a buying frenzy to snap up and rush the leading products to market and the new solutions and ideas would line up for long as far as the eye could see.

The reality is the exact opposite – the reality is the entire ecosystem for the innovative ideas to solve this undeniable problem is at a critical state: the money has left the building and likely ain’t coming back anytime soon. Venture Capitalists have run from security as the easy money returns showered on them from the Symantec’s and McAfee’s of the tech world let alone the IPO’s has all but disappeared. At a time when our economy needs the VC’s the most, they’re not willing or able to step up.

The latest data from VentureWire confirms these fears:

• - Venture-backed cyber-security start-ups secured just $626 million…in 2009, less than half the amount they raised in 2005
• Buyers are smaller, as are the targets - acquiring entities are mostly “rollups” meaning amassing a portfolio of technologies just for reselling purposes, not advancing the cause (or roadmaps for that matter)
• E.g., Barracuda Networks “made nine acquisitions since taking $40 million in financing from Sequoia Capital and Francisco Partners in 2006”.
• "There's a lot of great technologies that haven't gotten traction and people can't see how to profit from it, that are forced into a position to sell when normally they wouldn't be looking to (sell)," Dean Drako, CEO Barracuda Networks.

It is a simple cycle: The companies need to sell as the capital to sustain operations has largely evaporated – less sales, less funding leads to more distressed EOLs.

But the slippery (ugly) slope doesn’t end for us poor users there. Even worse, the large security and other technology providers that purchase the private companies with the better technologies are then, in most every case killing off the R&D and product road maps. The overall data shows the undeniable trend: Despite the over 388 deals completed by the top 10 tech companies, including 276 between 2005-2007, R&D levels declined. Where did the R&D go?

Source: Publicly reported data

Public companies acquired are no exception either; IBM paid $1.3 Billion for ISS and what has become of those technologies? More distressing perhaps is that the problem will linger as the VC’s aren’t stepping in to replace the nearly 400 companies wiped off the earth in the past 5 years. The main driver of this is the VC’s are looking at the exit valuations. According to the 451 Group, the returns for technology deals are simply lower.

Cooley Godward’s report captures the reality of VC’s risk aversion. Over the past four years, fewer early stage deals are being completed for later stage investments. Later stage rounds have increased to 39% in 2009 from 33% in 2006 – the gains came from the A rounds (30% in 2009 vs. 37% in 2006) as Series B stayed the same (30%).

Source: Cooley Godward Kronish

Who cares if the VC’s aren’t there?! They weren’t much help anyway some have cried. While that may be true in some cases, the dollars for R&D aren’t coming from the larger companies either. As Goldman Sachs illustrates in the table which follows, IT has historically been the largest R&D spender versus any other industry, yet it dropped by 6% in 2009 and is expected to increase just 3% this year.

And the even harsher reality is that VC’s and public vendors provide the lion’s share of research dollars.

So for now anyway we’re screwed. Of course, eventually the market, as it should, will find an answer. “SuperAngels” is fast becoming a recognized term as wealthy individuals and groups of such step in to fund Series A deals that are harder to fulfill in this environment. Boot-strapping is also returning to vogue which has some very useful residual effects. While growth might be hampered from a lack of resources, running a frugal ship from day one avoids the cash burn trap many startups fall into as well as retain higher ownership of the company. But given the overall saturated state of attack surfaces, something’s got to give if we hope to fight back let alone win, anytime soon.

Its Friday..which can only mean a torpedo of FUD comin' at ya.

Sometimes you read a blog post that really hits home.  This is one of them.  I asked Chris if I could repost it here and he was gracious enough to say 'Hell, yeah.  That's cool' (at this point, I pictured him whipping out the MOFO wallet...).

Chris is an experienced security practitioner by day and co-host of the Exotic Liability podcast by night (well worth a listen, just protect the children ;-)) and informal champion for the non-rock-stars in the infosec community (he wouldn't call himself this as he's too modest on this score).

Anyway, enjoy the post and tell us what you think in the comments.  Thanks Chris!

By Chris Nickerson

“GOD, grant me the serenity to accept people that will not secure their networks, the courage to face them when they blame me for their problems, and the wisdom go out drinkin’ afterwards!”

-A.P.Delchi

I am over it! I am over all of the BS. I am over all of the compliance posturing. I am over all of the “NEW AGE” High tech hipster ways to get a hold on a problem that is created “FOR THE PEOPLE BY THE PEOPLE.” I am over “We can’t.” I am over the cutting of the security budget to the bone. I am over having to use FUD to get attention. (Which is nothing more than promoting the stereotype of security professionals being cry baby premadonna’s.) I am over having to try and use corporate politics, back handed practice and overall impossible tactics just to create “something to REACT to.” I am just plain sick and tired of the loss of money, the incessant security breach headlines, the constant increase of security theater, and the train wreck life of a typical security posture.

Have you ever felt this way? Do you feel this way now? Are you “too tired” or “powerless” with regards to the security battle? Do you feel “under control, hands tied, and have an overall lack of drive.” Do you see a pattern?

./Big_Giant_Breath

These are the signs you would see in a person with an extreme addiction. Yep! Change the words and context around just a little bit and you have a classic addict. Its hard to choke down. I get it. It’s not conventional… I know. But, it’s real.

As with the history of alcohol and drug abuse, there have been decades of quick fixes. There has been millions of “get fixed quick” type programs. There have been high tech treatments and “silver bullet” pills that cure this horrible disease but none of them was/is a real solution. The reason for this is that fighting an addiction takes a lifetime of practice and will only end when you die. Until then, you will have to take it one day at a time and step by step. Around every corner will be a reason to slip back into your “old ways.” Sound familiar yet?

With all of these factors above sharing a frightening parallel and a quite common theme I think there is something to learn. I started thinking about this quite a long time ago when I was first exposed to the 12 step program. I was studying conjoint family therapy with the hopes that it would seriously up my Social Engineering game. I was taking the cross training approach to my career. I wanted to get into all of the classes, books, seminars and groups that were focused on “fixing” the bad behaviors of humans. I figured that by learning the fix I would better learn how to break them. Holy $h1T was I surprised. Here I am, sitting in the room, playing my role and absorbing as much as I could when it hit me. I am really screwed up. ( I know, shocking.. haha) Seriously though… I was able to identify things in my life what were superpower road blocks. Things that were so serious that I was sitting in the room, on the verge of tears and feeling completely helpless. A man named Stephen Young, who was teaching this class, came over to me and knew I was in a bad way. He knew this because under my supercool H4x0r exterior I was falling apart. He read my psychosomatic posture, he analyzed my every move and breath, he even was taking my pulse and temperature. This extraordinary man came up to me and put me on the spot. With his relentless pursuit of the truth and his unreasonable stance for my resolve he broke me in half. He exposed me. It took a long time. To me it felt like an eternity but in the end I opened up like a box that didn’t install the patch for MS08-067. From my session in this class I learned about something very important in my life. I learned the difference between being HELPLESS and being POWERLESS. On the surface this may be a no brainer or it may look like the 2 words can be interchanged. Underneath the hood of the human experience, this is one of the tipping points of eternal happiness. I won’t go into detail on the many facets of how humans treat themselves based on their perception of the situation or the vast and complex punishments we invoke on ourselves. You are a human, you have done it…. Like it or not… we all do. It is a common thread in our psychological makeup. Due to that fact, we all have a struggle with these powerless and helpless concepts. To set the record straight in the most raw definition of the words:

Powerless: Without POWER

This feeling comes with an overwhelming feeling of being weak. When we are powerless we do not have control. We are not the driver and we have no way to decide whether the car is going to crash into the wall or not. The brakes are out, the steering wheel is broken, and all the doors are locking you in. You are not without help or a solution, but you just have no real choice on what comes next (this concept took about 3 years for me to really get, so if it is confusing in this short burst… you are not alone!) When the car hits the wall… there is no reason to be mad… it was out of your control. What freedom. No reason to beat yourself up…. It was simply out of your hands at that very moment.

Helpless: Without HELP

Now, we really gotta dig in to where that puts us mentally. When you do not have power, you feel weak. You feel like you can not take on something alone. You feel abandoned and in a state where all is lost. The confusion here commonly comes from the target of your abandoned feeling. In you mind it means that you are alone and not equipped to handle the job. You don’t have the manpower to overcome the odds at hand. In reality you are abandoned. Not by other people. You abandon yourself. You punish yourself by making all these crazy meanings that you extrapolate from mounds of “evidence” to support your claim. You are not without friends. You are not without HELP. You are not alone at all. Your perception is your jail and its security controls are unable to be compromised (after all… you built em ;).

I know, I know you are saying..“ Geez hippie… hug a tree or something….” But this is an important thing to understand with relevance to InfoSec. Take those definitions above and apply them to your daily life. Apply them to your job. Apply them to all of the frustration that you had agreed with in the beginning of this post.

What did you find?

Well, because we are all humans, and because we all have a TON in common. We are all likely to experience the same feelings at some point or another. Maybe for you this is not the time.. Maybe this is the one… Regardless, it is a part of life. We have all been happy or sad, or indifferent. For this simple trend, we all have had common issues.

This brings us back to our fuzzy little InfoSec lives. The revolving world of compliance drives companies to scope and de scope assets like fashion trends. They inspire a momentary response which is more motivated by negative incent than anything else. Now, I am not saying compliance is bad or useless or whatever you make it. I am saying that the feeling that causes action still leaves you in that helpless state. It never addresses the human anchored problem that we all face. It never addresses the helpless feeling which overwhelms so much of the industry. Compliance has created amazing action and movement in InfoSec but it usually doesn’t provide a wholistic and cultural human change. It is kind of like taking an alcoholic and saying “Well, we will consider you recovered if you don’t drink Vodka any more. All of the other alcohol isn’t IN SCOPE.” This is just an insane statement but it is how I see many compliance programs dealt with. For this reason I started thinking about how addicts are treated. Sure, there are pills, programs, and fixes all over. There are Detox centers that claim to “Get you clean,” but all the successful ones have a common thread. They have a common goal and a common roadmap to get there.

This roadmap is called the “12 Step” program. It has stood the test of time as a repeatable and trend able mechanism for recovery. As I looked at the steps in depth from many perspectives I realized that this may be a good place for us to start our own recovery. We have a million ways to lock down an organization. We have more to implement and even more technologies to support it. What we don’t have is a real way to get started. We don’t own our own recovery, we usually act like it is forced upon us. Because of the lack of ownership, it allows us to “cheat” in our own program. It allows us to blame a scapegoat (whether that’s compliance or an infosec savvy employee). There is always someone else to blame and at the root of it, it is the reason we have rarely succeeded with our insecurity “recovery.”

Taking all of that into account, I decided to modify the steps just slightly to see if they would work to aid in our business recovery efforts. After a long hard look (and a few flights) I wanted to present this back out to the community to see what we could do with it.

12 Steps (of insecurity recovery)

1. We admitted we were powerless over security – that our environments had become unmanageable.

2. Came to believe that a power greater than ourselves could restore us to being secure

3. Made a decision to turn our will and our lives over to the care of best practice as we understand them.

4. Made a searching and fearless inventory of our environments and its assets, both information and physical.

5. Admitted to ourselves and those assisting us in our recovery the exact natures of our wrongs

6. Were entirely ready to have an independent assessment of our environment and accept the recommendations suggested to remove the flaws identified.

7. Humbly ask for help remediating our flaws.

8. Made a list of all the persons we ignored and became willing to make amends to them all

9. Made direct amends to such people wherever possible, except when to do so would injure the brand or the company.

10. Continue to take corporate inventory and when we were find flaws promptly admitted it

11. Sought through policy, process and procedure to improve our conscious understanding of best practices as we understand them and only for knowledge of his will for us and the power to carry that out

12. Having had a corporate awakening as the result of these steps, we tried to carry this message to other organizations and to practice these principles in all our affairs

I know that there is no silver bullet. There is no magic diet pill that will make me thin, healthy, and perfect. There are some things we can do about it. There are things we can accept in life and leverage the experience to live a life that is extraordinary. The quick fixes are rarely responsible for major breakthroughs.

The tech won’t save us. The regulations will never be good enough. The cloud won’t be the silver lining.

Sorry to say it, but security is hard work. It takes blood, sweat, tears and good ole fashion work to make headway. We can use the fads and toss around millions of dollars on a quick fix, or we can just get to work. Do you want to put in the work to admit you have a problem or do you want to continue blaming someone else for the problems? There is a way out. You have help. All you have to do, is take “The first step.”

This week, head hacker Dale Pearson digs into an area that we infosec guys and gals often give lip service too, but all too often fail to properly address.  Cheers mate!

By Dale Pearson

I have a problem; well maybe it’s more of an addiction. I just love gadgets and technology, if it beeps and has lots of flashing lights I just have to have it. I am sure a lot of you share my affliction - we are like magpies - we all like new shiny kit arriving at the door. Ok, so it’s a personal problem, but it’s a problem that exists in organisations also, and it’s a real problem.

In the world of business, organisations are constantly reminded of the threats and risks that exist, and the steps they need to take to reduce and eradicate these so called threats. So how do organisations spend their security budget? Well they spend a lot of money on little boxes that sit in huge racks, with lots of flashing lights and the occasional beeps. Sounds like heaven right. With all this firewalls, IDS, AV and filtering technology we have nothing to worry about, the virtual gates are tightly locked. 

It doesn’t stop there though; we need policies, procedure and governance to, so we have to spend a little money here as well. We need to tick those regulatory and legislative compliance tick boxes so we can get the nice certificate on the wall, and assure our customers that we are secure because we are compliant. The purse strings are tightening a little now, but we are jumping aboard the risk management framework train now, and this is a big deal, so we need some money for this. So now we are on the circular line of risk procrastination and unrealistic checklists, but it all sounds good and sets the right image to the outside world. 

Now there really is no money left in the kitty, but we need to carry out penetration testing and user awareness to keep our certificates on the wall. So we employ a team of penetration testers to run a vulnerability assessment on a small portion of our infrastructure. Now for user awareness training, a simple presentation we can rinse and repeat each year on the Intranet should do the job.

So lets quickly recap. 50% of the budget spent on infrastructure, 25% spent on compliance maintenance, 20% spent on risk management, 4% spent on penetration testing, and 1% on user awareness. Money well spent, and a secure environment has been achieved. Free publicity on the TV, Radio and the Newspapers when millions of customers records left the building via portable storage and boxes of paper….. priceless.

Companies say they take security seriously, and they know people are the weakest link, and they have training in place to cover this risk. I say FUD. They should hang their head in shame.

Here me when I say, you have personnel problems. I am not saying forget about all the shiny toys and flashing lights, but remember and invest if your wetware to. People are the weakest link. Humans are programmed to be helpful, not to question, challenge or be suspicious. We need to empower our personnel; they need to be regularly reminded of the risks, and the forms they take. They need procedures to follow to mitigate risks, reward them for following processes and challenging the unknown. This can't be done on the cheap with a presentation knocked up one weekend.

Just ask yourself how much the information that walks out the door is worth or when users give full access to the network via a Facebook application, or when offered the chance to win an iPod, and calculate how much you should really be investing in real awareness and education. Obviously the other components are important, we just need to readjust the allocation of funding to ensure adequate coverage for all area of vulnerability. Awareness and education needs to hit home at a personal level, and it needs to be realistic, effective, constantly maintained and reinforced. Security is everyone’s responsibility.

It’s not that simple I hear you cry. In order to get funds we need buy-in, we need to demonstrate ROI, and besides nothing has ever walked out our front door, we would have known.  If this is the case I encourage you to find the budget at least once for a no holes bared full on social engineering assessment, and I am confident you will be shocked at the results, and if done properly you should be on your way to starting your journey that gets the buy-in and the required ointment to your personnel problems.

There is no magic red pill that will cure the rash that is human stupidity, but through regularly monitoring and constant treatment, we can reduce the inflammation to an acceptable level, and allow us to go outside and face the world.

"Please nurse, can I haz some more?". Yes my long-suffering infosec brethren, it's fudsec Friday and time for your meds.

I love to learn new things... there, I've said it. I'm addicted to the latest technique, the new attack vector, the shiny exploit code that makes your dreams come true. A lot of us in security are. That's not always such a bad thing. I love the buzz you get when you do something you never thought possible. It's the best kind of high. Still, the first step in any cure, is to admit that you have a problem. As an industry, we have a problem. It's time we took a step back and really start to rectify the issues, instead of craving our next fix.

We all love the latest big thing. The thrill of a new idea, the chance to learn something new and different. For many of us in security, the chance to try something out for the first time is hard to pass up. After all, for the majority, this is the reason we got into security in the first place. The constant change, the new challenges and the ability to play with exciting things in the name of progress. We're like kids in a candystore. If you need proof of that, just consider the packed halls at Defcon, Blackhat and a hundred other "security" conferences that take place around the world every year. You can't help but see the ever growing demand for the "next big thing" in information security. I'll gladly admit, I'll be amongst the first reading the latest batch of white-papers to see what I can learn and use next time I'm testing a system. After all, this is why I moved into security to begin with... to have that constant growth and ongoing education that I felt network/server administration lacked. Still, lets keep to the point, because loss of focus is what got us here in the first place.

Where exactly do we expect this constant march of new and ingenious attack strategies to take us? Is there some mythical nirvana we can only reach after gathering up every zero day in Internet Explorer? Are we suddenly going to become secure once we find every possible way to crash Apache server? I don't think that day will be coming anytime soon. Still, that's not really the reason for this little rant... and yes it is a rant, no matter what I try and make of it.

Sometimes as security professionals we need to understand that the latest and greatest isn't always the norm. There are so many perfect examples out there to pick from. Whether it's Conficker, coming back again and again to top-up it's prescription, or the seemingly endless Hotel chain data breaches. The flaws are well known to us, and well advertised. Of course, there are always exceptions to the rule, and I'm not saying that zero day bugs aren't going to be exploited by attackers. Whether it's manually, or by worms, trojans, and all that come between. There will always be Companies worthy of targeted attacks after all. Still these are, as the name suggests, exceptions and not the day-to-day that we still seem to fall down on. As security professionals we can't hope to protect 100% against the unknown. Still, there's no such easy excuse for our general failure to protect and educate about the known?

Perhaps we should all spend a little less time thinking about the next amazing attack technique, and a little more time sitting with the application developers, network technicians, security guards, or even management. Don't you think your clients/customers/company would get more out of going back to basics and really understanding the vulnerabilities a little better, or do you think knowing the latest SSL rebinding attack/defense is more important than fixing the aging SQL Injection flaws in your website. It may not be the new hotness, but it's been more than 11 years since it was first discussed.

I'm not trying to say that ignoring the latest threats and vulnerabilities is the way to go. We need a balanced approach after all. Despite what some people say, defense-in-depth isn't dead yet. Just remember, that for the most part, our jobs are to protect against attackers. Whether you're patching things, finding the flaws in your systems, or responding to attacks. The focus should be on what attackers are doing now, with an eye on what they might do next. Some of the most widespread system infections have been caused by vulnerabilities that should have long been fixed. Take some time to look at the news headlines once in a while. SQL injection, weak or default passwords, misconfigured and un-patched systems, business logic failure and client-side exploits rule the roost.

Maybe I'm in the minority, but most security testing I do comes down to the same depressing flaws and vulnerabilities that have been known for years, in some form or another. How many of us who work as penetration testers, can honestly say that the latest technique was the key to breaking through defenses and gaining access. Of those who can honestly say yes, and I'm thinking that's not many, I'm willing to bet these are the companies getting it right. The companies doing the secure development life-cycle, doing the user and developer education, and most importantly, building security into every individual stage. From system and architectural design, through to change management and system maintenance.

I look forward to the time, when the only way to bypass defenses is to reach into that bag of tricks and pull out some new miracle pill. To me this is what penetration testing really is, and where I feel it serves it's core purpose. After all, there's little value in paying penetration testers to point out something that a 15 minute automated scan could tell you! You don't call an ambulance, if all you need is an aspirin.

Sometimes we forget what the real threats to our environment are. We start boarding up the windows and forget all about the side door we left ajar. If this were a zombie movie, we'd be the poor suckers getting blind-sided while searching behind the dresser for our stash.

Where are you going to focus your efforts today?

And as if by magic, a new fudsec post appears.  Having recently survived as a guest of Exotic Liability, I'd like to thank Iftach Ian for delivering our medication to us this week.

By Iftach Ian Amit

I’ve been intravenously fed with FUD for as long as I’ve been in the business.

The main strategy for understanding that you are facing FUD is to realize that there is a financial motivation behind the FUD-spreading entity. This has served me well over the years and managed to keep me out of trouble (i.e. buying/selling/liking any “you gotta have this!!!” technology).

I have to admit that when I started seeing what the media is doing to the term CyberWar, I was a bit baffled. What’s the motivation? It’s not like we can run to the local RadioShack and buy an Anti-CyberWar overpriced box of solutions for just $39.99 (not including annual license renewal of $99.99).

Nevertheless, as someone who likes security (yeah, I know... sorry...) and actually spends most of his time playing around with computers (my semi-formal job definition), I had to dig into this.

I decided to start off with my prior knowledge of CyberCrime (again - definitions aside, some say eCrime, some CyberCrime, some tomato...) to cover the more “traditional” attack vectors and risk surfaces. Armed with these, I wore my thinking hat and ventured back in history to re-inspect some of the cyberwar incidents of our past. The main incidents that brought the most media attention were Estonia and Georgia.

Estonia being dubbed the “first true cyberwar” in some publications (and by some “professionals”) turned out to be mostly civilian - meaning that there didn't seem to be a Kremlin general, high on Vodka, that marched his army of hackers into cyberspace to crush the Estonia internet!!! On the other hand, reality seemed much more familiar than expected - a couple of defacements from skiddies on the hacktivism side, and a fairly traditional DDoS using a botnet that - behold - is attributed to CyberCrime. Almost like someone was trying to push me back to my "place".

To be completely honest, there was a bit more to it. For anyone who is familiar with the RBN, you're probably are aware of the close ties it has with Russian authorities, that allow it to operate almost uninterrupted. The timing of the attacks, and the scale of it, indicate that either some hacktivists got a huge favor from a highly commercially inclined organization, or that some kind of quid-pro-quo between RBN and a Kremlin rep was in place to put a little pressure on the Estonian neighbors.

But from some greased hands that allow RBN to keep running aloof, to "the first true cyberwar" is a long haul...

The second example was the Georgia-Russia front. While getting somewhat less attention in the media, this was more closely a “CyberWar”, or an act of cyberwarfare, as it was closely coordinated with kinetic actions taken on the ground by Russian forces. Nevertheless, the same deniability factor plays well here - the main attack surface was the use of botnets operated primarily by CyberCriminal groups.

Interestingly enough - true cyberwar acts failed to truly make a media hit (look for the alleged bombing of the alleged nuclear plant in Syria by alleged Israeli F-16s... These allegedly did not show up on any radar screen. Not in Turkey, nor in Syria or Lebanon. Go figure :-) ).

But the real cherry on top has been APT! When I first heard that there was an APT and it was very malicious and scary I thought that there goes my favorite Linux distribution... Yeah - I’m such a sucker for the media :-(

Too bad that the latest APT (and that’s the last time you'll see this acronym written in this post) is just another FUD-happy name for - wait for it - TROJANS!!! Trojans, and rootkits, and keyloggers and viruses!!! Run for your lives...

Seriously now. Whether state sponsored (possible...) or just another highly targeted criminal attack on select organizations (seen it before, handling some on a daily basis, not calling it funny names...), we go back again to the FUD motivation.

According to the latest one (FUD that is), CyberWar is full of APT (broke my promise. deal with it), and it can only be protected by - you guessed it - AntiVirus! (or whatever new fancy names our beloved vendors find for the same software they have been pushing us in the last 20 years).

So cheer up!  The sky is not falling. It's just a little cloudy, and the usual bad people are still around doing their thing. The only difference is that you need to realize that ANYONE can hire these bad guys. Yes - even your government (or whatever shell company used to disguise it). Just like we are used to do with more conventional arms dealing.

Hope this was some food for thought. For more on the topic you can check out my past coverage of Cybercrime on my blog and the up-and-coming coverage of Cyber[Crime|War] connections in BlackHat EU.

This week, Will from Cassandra Security steps up on the Fudsec infosec catwalk for some aurorasomeness (sorry, couldn't resist).  I've got three words for you: data, data, data.  I'm done.  Thanks a lot Will!

By Will Gragido

The Danger of Allegations

Mob mentality is a scary and dangerous thing.  History has proven that time and time again.   Our industry is not immune to this.  In fact, in many respects, it is quite good at perpetuating the madness.   Understanding the interplay of fear, uncertainty and doubt within the cultural zeitgeist and attitude is not only important, but critical.  As a result, we must strive to prevent errant thought and irresponsibility within our profession and industry without sacrificing our ability to think critically.   Avoiding sensationalistic allegations pertaining to cyber-boogiemen—real or imagined, is of paramount importance in order that we not be perceived as a collective body of ‘chicken littles’.  Sensationalism is fine for carnivals and circuses, allegations the tabloids, but not an industry where the lines between logical and physical threats are blurring on an ever increasing level.  

Examples of Allegations in Recent History and Their Importance Influencing FUD in Matters of Information Security

Several powerful examples can be drawn from recent history that articulate and underscore this point.  Allegations are often made in the absence of comprehensive data.  Disturbing yes; unrealistic no.  With enough circumstantial evidence arguments can be made with respect to onus and responsibility for events of interest in almost all circumstances.  This is true whether one is speaking of fiduciary malfeasance, large scale cyber criminal cabals, state sponsored activity or what Aunt Sally said to Uncle Phil.  In some cases this is necessary misdirection; in other cases, it is simply irresponsible and Barnumesque.   Regardless, it is vitally important that a clear understanding of the word ‘allegedly’ exists in your lexicon in order to avoid pitfalls.  Understanding it will aid you in your daily and professional lives.  The word ‘allegedly’ can be defined in the following way:

•    A declaration made that cannot be proven or substantiated; a claim with questionable supporting evidence.  

The ‘Aurora’, attacks or ‘Operation Aurora’ (named by Dmitry Alperovitch of McAfee) of recent history are excellent examples of the power of allegation wielded in the absence of irrefutable evidence.   Beginning in mid-December 2009 this event of interest colloquially referred to as ‘operation aurora’ took on a life of its own.  The first to publicly (and this is important folks) address and speak about it was Google (blog post made in mid-January).  It should be noted that Google stated that the attack ‘originated’ in China  and that though U.S. Secretary of State, Hillary Clinton issued a brief statement condemning the attacks and requesting a response from China, neither she nor Google blamed the Chinese Government nor accused them of being responsible.  That is of paramount importance.  Why?  In part because there was not sufficient evidence to suggest or warrant such allegations yet sensationalism (and the media momentum associated with it), built like a tsunami.  Over time the attack was said to have targeted several organizations including but not limited to:

•    Adobe
•    Juniper Networks
•    Rackspace
•    Yahoo!, Inc.
•    Symantec, Inc.
•    Northrop-Grumman
•    DOW Chemical

Researchers the world over exhaustively poured over the Microsoft IE zero day vulnerability used in the compromise  in order to analyze and assess the possibility of derivative exploitation .  Commentary on the levels of sophistication ranged from ‘very’, to more ‘elementary’.  Media figures, industry pundits and people the world over who previously assumed that concepts such as advanced persistent threats and subversive multi-vector threats (the author is of the opinion that these threats are absolutely real but that they are non-trivial in terms of architectural intent), were the stuff of which the cyber-boogeyman were made of, began changing their tunes.  Unbridled allegations and assertions were being made even in light of the fact that on almost a day-to-day basis more information was coming to the surface.  Onus and responsibility were shifted away from the Chinese Government and re-focused on two universities within China.   Some argued that this could be a cleverly devised diversionary tactic of the Chinese while others entertained other, equally and, in my humble opinion, plausible explanations having to do with China being effectively ‘framed’ for this event of interest.

Wake Me When It’s Over: Reality Checks in the Midst of Chaos 

The reality is that without careful intelligence gathering, application of analytics and thorough vetting out of data, we are left to speculate, arrive at best guesses and thusly produce statements which include – for better or worse allegations.  Put another way, unless we have a need to know (and there is something to know), we most often don’t know what we don’t know.  We need to understand as information security professionals that there is a danger in mad speculation.  It more often leads to a state of imbalance rather than control. We must think more clearly so as to avoid mistakes from extraction could prove difficult at best.  China is an easy target.  We do know they are active in the proliferation of cyber-warfare tactics, methodologies and strategy, however we must be careful to avoid throwing the baby out with the bath water so as to avoid finding ourselves being the accused as opposed to the accuser. 

Closing Thoughts

The world and our interactions within it are changing; as such, the ability to approach these challenges dynamically while presenting the appropriate mindset is critical.  The ability to think and consider things in an asymmetric fashion in a symmetric world is of the utmost importance and influences non-repudiation greatly.

1. The threats are real, but we need to assess the data carefully and in a manner not driven by hysteria
2. In the absence of irrefutable proof, we risk much when we make allegations; we need to be careful
3. As a colleague of mine Josh Corman and I were discussing this, it occurred that we always will lack 100% irrefutable proof but that we must make decisions for the greater good predicated on the best intelligence we have at the time
4. As a result we must be more highly attuned to FUD and its impact on tactical and strategic information security as it is easy to be misled

Your thoughts?

We're breaking rank and posting a day early this week.  Why?  To give this post some time to breath before a small gathering in San Francisco of security wonks.  My thanks to Jeremiah for this post, and I fully agree with his call to action!  You?

By Jeremiah Grossman

I’m told fudsec is a place to float, among other things, half-baked and incomplete security ideas. I’ve no shortage of those I assure you. Fortunately the infosec community is not shy about telling you so. For today’s thought let’s provide some background...

A few weeks ago a consultant by the name of Larry Suto published, “Analyzing the Accuracy and Time Costs of Web Application Security Scanners,” [1] which reviewed desktop black box website vulnerability scanners: Acunetix, IBM AppScan, BurpSuitePro, Cenzic Hailstorm, HP WebInspect, NTOSpider, and Qualys WAS (Software-as-a-Service). Larry faced off these products using the vendors’ very own public-demonstration, vulnerability-laden “test websites” as the scan targets. For those curious, WhiteHat Security politely declined to participate because Sentinel is delivered as SaaS solution and not a product like the others tested. [2]

You may read the report yourself, but I’ll save you the suspense. The results for nearly all scanners were basically horrible. Large percentages of vulnerabilities were missed, there were false-positives galore, and significant human configuration time was required. Perhaps these are benefits if you are looking for tools to help fill the gaps in your day and provide job security. Several vendors wasted little time in defending themselves, attacking the report’s methodology and Larry himself, which is presumably to be expected anytime you call someone’s baby ugly.

The conclusion from the vendors: Don’t take these results seriously. For best results, scan real-live production websites, like your own environment, and not test websites.

You know, I can agree with that! I’ve been recommending the same for quite some time. First though, try something a little different. Turn the tables around. Instead of running your websites through the gauntlet, risking downtime from intrusive scans, only to discover you have vulnerabilities just like everyone else -- how about making the vendor eat their own dog food.

Ask the sales rep for a trial license and permission to scan THEIR production commerce website(s). That’s right, scan the vendor! Imagine their FUD-induced response. If they really believe in their product’s capability, safety, and marketing hype this shouldn’t be an unreasonable request. A “right to test” is no more than any reasonable cloud computing client would ask for. Right? Plus, doing so will provide a good reference point for when you scan your own websites, if, in fact, Larry’s results were atypical. The sales rep might say they don’t have authority to grant such authorization. Fair enough, but go ahead and press a little. It’s not like the bad guys are asking permission to scan these sites everyday anyway. Just ask [3] xssed.com [4].

[1] http://ha.ckers.org/blog/20100203/accuracy-and-time-costs-of-web-application-security-scanner-report/
[2] http://jeremiahgrossman.blogspot.com/2010/02/wheres-whitehat-re-scanner-comparisons.html
[3] http://www.xssed.com/search?key=hp.com
[4] http://www.xssed.com/search?key=ibm.com

What type of vendors are you dealing with?  Type A or B?  

Amrit is back with a post that highlights the link between economics, security and vendors.  Thanks Amrit!

By Amrit Williams [reposted with permission]

To economists, the term “Broken Windows” refers to the question that if a shopkeeper pays a glazier to repair a broken window at his store, does this deliver an economic benefit to society? Many people would say yes, because it generates demand for glass and work for the glazier.

Have you ever been witness to the fury of that solid citizen, James Goodfellow, when his incorrigible son has happened to break a pane of glass? If you have been present at this spectacle, certainly you must also have observed that the onlookers, even if there are as many as thirty of them, seem with one accord to offer the unfortunate owner the selfsame consolation: “It’s an ill wind that blows nobody some good. Such accidents keep industry going. Everybody has to make a living. What would become of the glaziers if no one ever broke a window?

Excerpt from the 1850 essay “That Which is Seen and That Which is Unseen” By Frederic Bastiat 

The majority of economists, however, would say that it is a fallacy to believe that the broken window generates economic good, as it forces the shopkeeper to expend resources to fix something that wasn’t broken and functioned perfectly well before small boys began playing baseball in front of the shop. Paying for repairs reduces his/her business’ ability to spend money on more rewarding alternatives—financing inventory, expanding the shop, etc.

But if, by way of deduction, you conclude, as happens only too often, that it is good to break windows, that it helps to circulate money, that it results in encouraging industry in general, I am obliged to cry out: That will never do! Your theory stops at what is seen. It does not take account of what is not seen.

It is not seen that, since our citizen has spent six francs for one thing, he will not be able to spend them for another. It is not seen that if he had not had a windowpane to replace, he would have replaced, for example, his worn-out shoes or added another book to his library. In brief, he would have put his six francs to some use or other for which he will not now have them.

Society loses the value of objects unnecessarily destroyed, and at this aphorism, which will make the hair of the protectionists stand on end: “To break, to destroy, to dissipate is not to encourage national employment,” or more briefly: “Destruction is not profitable.”

This week I'm pleased to announce that this weeks guest haxxor, Larry Pesce from PaulDotCom, was able to extract himself from the Matrix for this post.  This is all the more remarkable when you consider the availability of free beer within the matrix (Larry, I'll buy you a beer the day we meet, so long as you promise not to Shmooball me).  My thanks to Larry!  Please leave your comments below...

by Larry Pesce

I've been preaching education for end users for quite some time, knowing that having educated users would help them from getting owned, either at home or at work.

I'm beginning to think that user education is a losing battle.

We've preached to our users about safe internet practices. We tell them to examine SSL certificates. We tell them not to open e-mail attachments from people that they were not expecting.

What do they do? Exactly the opposite of what we say. Why? Human nature I suppose. In 99% of the cases the users we are supporting are not what you call tech savvy. Sure they can set the clock on their VCR nowadays, but they don't know how to use the computer to do much more than the job at hand. They just want that new piece of technology (computer or otherwise) to work. They want to get their job done, communicate with their friends or do something cool.

When we do convince them to click "NO", and it doesn't work or do something cool, they try again and click "YES". Nothing Advanced or terribly Persistent about it. Yes, it is still a threat.

So why doesn't user education work? No matter how many seminars we give, pamphlets we distribute, or posters we hang quite frankly our users don't care.

I used to think that if the education worked for just one person in an organization it was all worth it. The problem is that all of that education is a lot of work to develop and deliver to reach one person out of fifty. With persistent education, maybe we will get three out of those fifty. Scale that up a bit and those aren't very good odds in helping protecting your organization.

Let's draw a parallel to the recent compromises at Google. Not having worked there, I have to make some assumptions about the skill level and caring of the staff there. One has to figure that most of the employees are pretty technical and get the risk. They, for the most part don't need the user education. The problem is there are a whole bunch of people that help that business run that aren't techies. That's who get owned. I'd imagine that Google has a pretty darned good internal user education program. They still got owned.

So, how do we save the users from themselves? Maybe this whole internet fad is out of hand. We can spend metric assloads of money on security technology and the people to appropriately staff them. Or we can change the way people thing about the internet in general in a work environment. Instead of the user education for everyone connected to the internet at the office, how about we make the use of the internet a privilege, not an inalienable right.

Now the user education for the few people in the organization that actually do have access to the internet will hopefully have a little more punch, potentially reduce our costs on some security technology and staffing, as well as potentially changing our overall security posture.

Best of luck on whichever direction you choose. It is just a matter of time before we're all compromised no matter what we do.

This week, geek reporter Carl Brooks does a turn on the fudsec catwalk.  Carl worked in the trenches for 10 years as an IT consultant/administrator before switching careers.  Here he argues that FUD is less about security, and more about shills selling security to suckers.  He has a point - maybe it's time to "rebrand" fudsec: "Shills and Suckers"?  Thanks Carl!

By Carl Brooks

I’m here to join the long chain of security-minded IT people to straighten out some of the bugaboos of security- where it lies, where you should start looking, and why people really need, at the very least, to understand what to worry about.

I’m no security professional. I’m a middling-to-fair sysadmin with plenty of run-of-the-mill small network experience, but I worked for people to whom computers might as well have been crystal balls and CAT5e was something I named my pets because I was weird. So like many of my ilk, I was the temple guardian for lots and lots and lots of users who trusted everything they read in an email or thought Microsoft ISA was a real firewall because it said so on the box.

This is heart of the problem. Computers are commoditized, networks are commoditized, IT overall comes in a box that you buy off the shelf. Its not news that any old sap can get themselves a full fledged network of computing resources with a call to Dell and a trip to Best Buy. On the way comes fear, uncertainty and doubt about all the things that can go wrong, all the threats out there -- and 99% of them are bogus -- just sales pitches to cram another product in your box or your building or your brain.

Bought a server? The Dell fella sure was helpful, huh? He even said you should get up and running with that antivirus server trial on there, roll it out to all your computers, keep your employees safe! Never mind that you don't know what your router is for - it's got a firewall, says so on the box. Why, without a firewall, you're screwed like a slow ape by a fast gorilla! And backups!!!! Holy DAT, Batman, you need a backup! Yes, plug it in. Phew. Done.

That's the problem, kids. Every user in the world is convinced they need security features, not security procedures. They KNOW this. It's drilled in. tell a manager antivirus is a bow, not the present, or tell him managing backups will take more than one trip, and you've got five heads. He knows he's supposed to be afraid, but you aren't presenting the answers he's primed for. That’s what FUD is for- shape someone's worry, and you've shaped their answer.  

This is why, for the purposes of security, there is only one answer- someone, somewhere, has to know what the fuck is going on with your IT. That responsibility is the only answer to buying 'solutions', because they can, and do, go horribly wrong. It's the corollary of fear, uncertainty and doubt - false reassurance and false confidence lead to consequences you don't understand.

As always, security devolves to fundamentals - and they're usually forgotten after all the dots on the planning chart are connected. Real security is the afterthought until it’s a necessity. Its more common than not that nobody really knows what’s going on in their organization. That is always the real headache around security. It’s almost NEVER a technical problem.
 
Now, here’s a real security problem or two, by way of example:

Back when I worked for a living, we ran ‘outsourced IT’ for small businesses; we also ran a thriving emergency room for computing disasters.

One day we get a server with a failed RAID 5 array, delivered by a guy who pretends he has no idea why he is there. We call the boss, find out he wants the RAID fixed and the data back. Unfortunately, the array has been destroyed despite having two perfectly fine hard drives.

Oh, dear. We naturally ask Mr. Shrugs-a-Lot what led to this turn of events we eventually determine, no thanks to Mr Now-Sweating-Bullets, that he had called his “computer guy” who, over the phone, had tried to help him diagnose and repair a failed disk in a hotswap RAID5 array. Hotswap!!!. “Computer guy" doesn’t know what on God’s green earth he is doing, so he calls Dell support on his other phone, while relaying instructions to Mr Now-Gripped-with-Icy-Terror. Guess what Dell told them to do.

To sum up, my boss worked through the weekend, made a nice fat fee and I had a frank talk with the client company's president. That’s a security problem, people. But, you say, they didn’t know any better, clearly this doesn’t happen in organizations that use process and compliance and have IT staff.

Oh, really?

Ok, one day, in runs a dude we’d never seen before, carrying a circa 1998 whitebox tower. This is in 2006-ish. He is in a panic. He works for a security company, the kind that sits in gatehouses with badges on. It is, naturally, a disaster- failed mainboard, rapidly failing hard drive, years of environmental exposure, frankly worthless. It’s a loss. More panic.  Many cell phone calls, hands waving, and treading circles in the workshop. Turns out there is no replacement for this machine, no backups and no way to reconstruct the configurations.

Windows 98, naturally, with some custom app some nameless developer came up with a long time ago, no docs, no contacts, nothing. They are royally fucked; this is the thing onsite they need to do their job. Well, we perform the specialty of IT all over the world, and pull something out of our asses, locate a chassis and gear that supports this slop, image the drive to a new one, etc.  Off they go, the security folks with their repaired and functional piece of poop. What was it for?
 
It was the sole repository of photo ID and entry and exit badge verification data, including all the photos and employee records, for a single point of entry at a very, very, very large aerospace weapons manufacturer.
 
We did a little work for that “security company” subsequently. Anyone want to guess the admin password on their NETGEAR firewall? Don’t bother, you can look it up.
 
Now THAT, ladies and gentlemen, is a security problem.