"Please nurse, can I haz some more?". Yes my long-suffering infosec brethren, it's fudsec Friday and time for your meds.

I love to learn new things... there, I've said it. I'm addicted to the latest technique, the new attack vector, the shiny exploit code that makes your dreams come true. A lot of us in security are. That's not always such a bad thing. I love the buzz you get when you do something you never thought possible. It's the best kind of high. Still, the first step in any cure, is to admit that you have a problem. As an industry, we have a problem. It's time we took a step back and really start to rectify the issues, instead of craving our next fix.

We all love the latest big thing. The thrill of a new idea, the chance to learn something new and different. For many of us in security, the chance to try something out for the first time is hard to pass up. After all, for the majority, this is the reason we got into security in the first place. The constant change, the new challenges and the ability to play with exciting things in the name of progress. We're like kids in a candystore. If you need proof of that, just consider the packed halls at Defcon, Blackhat and a hundred other "security" conferences that take place around the world every year. You can't help but see the ever growing demand for the "next big thing" in information security. I'll gladly admit, I'll be amongst the first reading the latest batch of white-papers to see what I can learn and use next time I'm testing a system. After all, this is why I moved into security to begin with... to have that constant growth and ongoing education that I felt network/server administration lacked. Still, lets keep to the point, because loss of focus is what got us here in the first place.

Where exactly do we expect this constant march of new and ingenious attack strategies to take us? Is there some mythical nirvana we can only reach after gathering up every zero day in Internet Explorer? Are we suddenly going to become secure once we find every possible way to crash Apache server? I don't think that day will be coming anytime soon. Still, that's not really the reason for this little rant... and yes it is a rant, no matter what I try and make of it.

Sometimes as security professionals we need to understand that the latest and greatest isn't always the norm. There are so many perfect examples out there to pick from. Whether it's Conficker, coming back again and again to top-up it's prescription, or the seemingly endless Hotel chain data breaches. The flaws are well known to us, and well advertised. Of course, there are always exceptions to the rule, and I'm not saying that zero day bugs aren't going to be exploited by attackers. Whether it's manually, or by worms, trojans, and all that come between. There will always be Companies worthy of targeted attacks after all. Still these are, as the name suggests, exceptions and not the day-to-day that we still seem to fall down on. As security professionals we can't hope to protect 100% against the unknown. Still, there's no such easy excuse for our general failure to protect and educate about the known?

Perhaps we should all spend a little less time thinking about the next amazing attack technique, and a little more time sitting with the application developers, network technicians, security guards, or even management. Don't you think your clients/customers/company would get more out of going back to basics and really understanding the vulnerabilities a little better, or do you think knowing the latest SSL rebinding attack/defense is more important than fixing the aging SQL Injection flaws in your website. It may not be the new hotness, but it's been more than 11 years since it was first discussed.

I'm not trying to say that ignoring the latest threats and vulnerabilities is the way to go. We need a balanced approach after all. Despite what some people say, defense-in-depth isn't dead yet. Just remember, that for the most part, our jobs are to protect against attackers. Whether you're patching things, finding the flaws in your systems, or responding to attacks. The focus should be on what attackers are doing now, with an eye on what they might do next. Some of the most widespread system infections have been caused by vulnerabilities that should have long been fixed. Take some time to look at the news headlines once in a while. SQL injection, weak or default passwords, misconfigured and un-patched systems, business logic failure and client-side exploits rule the roost.

Maybe I'm in the minority, but most security testing I do comes down to the same depressing flaws and vulnerabilities that have been known for years, in some form or another. How many of us who work as penetration testers, can honestly say that the latest technique was the key to breaking through defenses and gaining access. Of those who can honestly say yes, and I'm thinking that's not many, I'm willing to bet these are the companies getting it right. The companies doing the secure development life-cycle, doing the user and developer education, and most importantly, building security into every individual stage. From system and architectural design, through to change management and system maintenance.

I look forward to the time, when the only way to bypass defenses is to reach into that bag of tricks and pull out some new miracle pill. To me this is what penetration testing really is, and where I feel it serves it's core purpose. After all, there's little value in paying penetration testers to point out something that a 15 minute automated scan could tell you! You don't call an ambulance, if all you need is an aspirin.

Sometimes we forget what the real threats to our environment are. We start boarding up the windows and forget all about the side door we left ajar. If this were a zombie movie, we'd be the poor suckers getting blind-sided while searching behind the dresser for our stash.

Where are you going to focus your efforts today?

And as if by magic, a new fudsec post appears.  Having recently survived as a guest of Exotic Liability, I'd like to thank Iftach Ian for delivering our medication to us this week.

By Iftach Ian Amit

I’ve been intravenously fed with FUD for as long as I’ve been in the business.

The main strategy for understanding that you are facing FUD is to realize that there is a financial motivation behind the FUD-spreading entity. This has served me well over the years and managed to keep me out of trouble (i.e. buying/selling/liking any “you gotta have this!!!” technology).

I have to admit that when I started seeing what the media is doing to the term CyberWar, I was a bit baffled. What’s the motivation? It’s not like we can run to the local RadioShack and buy an Anti-CyberWar overpriced box of solutions for just $39.99 (not including annual license renewal of $99.99).

Nevertheless, as someone who likes security (yeah, I know... sorry...) and actually spends most of his time playing around with computers (my semi-formal job definition), I had to dig into this.

I decided to start off with my prior knowledge of CyberCrime (again - definitions aside, some say eCrime, some CyberCrime, some tomato...) to cover the more “traditional” attack vectors and risk surfaces. Armed with these, I wore my thinking hat and ventured back in history to re-inspect some of the cyberwar incidents of our past. The main incidents that brought the most media attention were Estonia and Georgia.

Estonia being dubbed the “first true cyberwar” in some publications (and by some “professionals”) turned out to be mostly civilian - meaning that there didn't seem to be a Kremlin general, high on Vodka, that marched his army of hackers into cyberspace to crush the Estonia internet!!! On the other hand, reality seemed much more familiar than expected - a couple of defacements from skiddies on the hacktivism side, and a fairly traditional DDoS using a botnet that - behold - is attributed to CyberCrime. Almost like someone was trying to push me back to my "place".

To be completely honest, there was a bit more to it. For anyone who is familiar with the RBN, you're probably are aware of the close ties it has with Russian authorities, that allow it to operate almost uninterrupted. The timing of the attacks, and the scale of it, indicate that either some hacktivists got a huge favor from a highly commercially inclined organization, or that some kind of quid-pro-quo between RBN and a Kremlin rep was in place to put a little pressure on the Estonian neighbors.

But from some greased hands that allow RBN to keep running aloof, to "the first true cyberwar" is a long haul...

The second example was the Georgia-Russia front. While getting somewhat less attention in the media, this was more closely a “CyberWar”, or an act of cyberwarfare, as it was closely coordinated with kinetic actions taken on the ground by Russian forces. Nevertheless, the same deniability factor plays well here - the main attack surface was the use of botnets operated primarily by CyberCriminal groups.

Interestingly enough - true cyberwar acts failed to truly make a media hit (look for the alleged bombing of the alleged nuclear plant in Syria by alleged Israeli F-16s... These allegedly did not show up on any radar screen. Not in Turkey, nor in Syria or Lebanon. Go figure :-) ).

But the real cherry on top has been APT! When I first heard that there was an APT and it was very malicious and scary I thought that there goes my favorite Linux distribution... Yeah - I’m such a sucker for the media :-(

Too bad that the latest APT (and that’s the last time you'll see this acronym written in this post) is just another FUD-happy name for - wait for it - TROJANS!!! Trojans, and rootkits, and keyloggers and viruses!!! Run for your lives...

Seriously now. Whether state sponsored (possible...) or just another highly targeted criminal attack on select organizations (seen it before, handling some on a daily basis, not calling it funny names...), we go back again to the FUD motivation.

According to the latest one (FUD that is), CyberWar is full of APT (broke my promise. deal with it), and it can only be protected by - you guessed it - AntiVirus! (or whatever new fancy names our beloved vendors find for the same software they have been pushing us in the last 20 years).

So cheer up!  The sky is not falling. It's just a little cloudy, and the usual bad people are still around doing their thing. The only difference is that you need to realize that ANYONE can hire these bad guys. Yes - even your government (or whatever shell company used to disguise it). Just like we are used to do with more conventional arms dealing.

Hope this was some food for thought. For more on the topic you can check out my past coverage of Cybercrime on my blog and the up-and-coming coverage of Cyber[Crime|War] connections in BlackHat EU.

This week, Will from Cassandra Security steps up on the Fudsec infosec catwalk for some aurorasomeness (sorry, couldn't resist).  I've got three words for you: data, data, data.  I'm done.  Thanks a lot Will!

By Will Gragido

The Danger of Allegations

Mob mentality is a scary and dangerous thing.  History has proven that time and time again.   Our industry is not immune to this.  In fact, in many respects, it is quite good at perpetuating the madness.   Understanding the interplay of fear, uncertainty and doubt within the cultural zeitgeist and attitude is not only important, but critical.  As a result, we must strive to prevent errant thought and irresponsibility within our profession and industry without sacrificing our ability to think critically.   Avoiding sensationalistic allegations pertaining to cyber-boogiemen—real or imagined, is of paramount importance in order that we not be perceived as a collective body of ‘chicken littles’.  Sensationalism is fine for carnivals and circuses, allegations the tabloids, but not an industry where the lines between logical and physical threats are blurring on an ever increasing level.  

Examples of Allegations in Recent History and Their Importance Influencing FUD in Matters of Information Security

Several powerful examples can be drawn from recent history that articulate and underscore this point.  Allegations are often made in the absence of comprehensive data.  Disturbing yes; unrealistic no.  With enough circumstantial evidence arguments can be made with respect to onus and responsibility for events of interest in almost all circumstances.  This is true whether one is speaking of fiduciary malfeasance, large scale cyber criminal cabals, state sponsored activity or what Aunt Sally said to Uncle Phil.  In some cases this is necessary misdirection; in other cases, it is simply irresponsible and Barnumesque.   Regardless, it is vitally important that a clear understanding of the word ‘allegedly’ exists in your lexicon in order to avoid pitfalls.  Understanding it will aid you in your daily and professional lives.  The word ‘allegedly’ can be defined in the following way:

•    A declaration made that cannot be proven or substantiated; a claim with questionable supporting evidence.  

The ‘Aurora’, attacks or ‘Operation Aurora’ (named by Dmitry Alperovitch of McAfee) of recent history are excellent examples of the power of allegation wielded in the absence of irrefutable evidence.   Beginning in mid-December 2009 this event of interest colloquially referred to as ‘operation aurora’ took on a life of its own.  The first to publicly (and this is important folks) address and speak about it was Google (blog post made in mid-January).  It should be noted that Google stated that the attack ‘originated’ in China  and that though U.S. Secretary of State, Hillary Clinton issued a brief statement condemning the attacks and requesting a response from China, neither she nor Google blamed the Chinese Government nor accused them of being responsible.  That is of paramount importance.  Why?  In part because there was not sufficient evidence to suggest or warrant such allegations yet sensationalism (and the media momentum associated with it), built like a tsunami.  Over time the attack was said to have targeted several organizations including but not limited to:

•    Adobe
•    Juniper Networks
•    Rackspace
•    Yahoo!, Inc.
•    Symantec, Inc.
•    Northrop-Grumman
•    DOW Chemical

Researchers the world over exhaustively poured over the Microsoft IE zero day vulnerability used in the compromise  in order to analyze and assess the possibility of derivative exploitation .  Commentary on the levels of sophistication ranged from ‘very’, to more ‘elementary’.  Media figures, industry pundits and people the world over who previously assumed that concepts such as advanced persistent threats and subversive multi-vector threats (the author is of the opinion that these threats are absolutely real but that they are non-trivial in terms of architectural intent), were the stuff of which the cyber-boogeyman were made of, began changing their tunes.  Unbridled allegations and assertions were being made even in light of the fact that on almost a day-to-day basis more information was coming to the surface.  Onus and responsibility were shifted away from the Chinese Government and re-focused on two universities within China.   Some argued that this could be a cleverly devised diversionary tactic of the Chinese while others entertained other, equally and, in my humble opinion, plausible explanations having to do with China being effectively ‘framed’ for this event of interest.

Wake Me When It’s Over: Reality Checks in the Midst of Chaos 

The reality is that without careful intelligence gathering, application of analytics and thorough vetting out of data, we are left to speculate, arrive at best guesses and thusly produce statements which include – for better or worse allegations.  Put another way, unless we have a need to know (and there is something to know), we most often don’t know what we don’t know.  We need to understand as information security professionals that there is a danger in mad speculation.  It more often leads to a state of imbalance rather than control. We must think more clearly so as to avoid mistakes from extraction could prove difficult at best.  China is an easy target.  We do know they are active in the proliferation of cyber-warfare tactics, methodologies and strategy, however we must be careful to avoid throwing the baby out with the bath water so as to avoid finding ourselves being the accused as opposed to the accuser. 

Closing Thoughts

The world and our interactions within it are changing; as such, the ability to approach these challenges dynamically while presenting the appropriate mindset is critical.  The ability to think and consider things in an asymmetric fashion in a symmetric world is of the utmost importance and influences non-repudiation greatly.

1. The threats are real, but we need to assess the data carefully and in a manner not driven by hysteria
2. In the absence of irrefutable proof, we risk much when we make allegations; we need to be careful
3. As a colleague of mine Josh Corman and I were discussing this, it occurred that we always will lack 100% irrefutable proof but that we must make decisions for the greater good predicated on the best intelligence we have at the time
4. As a result we must be more highly attuned to FUD and its impact on tactical and strategic information security as it is easy to be misled

Your thoughts?