"Rabbit-rabbit" folks on this 1st day of the month. Just when many of you thought it was safe to go back into the water. Just when you thought nothing could be worse than APT... think again. Wade Baker followed his nose and unearthed something even more silent - even more deadly. This is the Press Release "they" didn't want you to see.

by Wade Baker (@wadebaker)

Advanced Persistent Threats (APTs) garnered a huge amount of attention within the security community in 2010. Reports of sophisticated attacks against high-profile organizations provided ample fuel, and the fear of APTs spread like wildfire. Many expressed a sense of hopelessness against this new foe. Trade secrets were lost. Reputations damaged. White-knuckled fear and frustration ensued.

But that was last year, and there is no relief for the afflicted, no rest for the weary.

2011 brings with it a foul wind of another, even more advanced, and vastly more persistent threat into our midst. These vile agents known as Far Advanced Relentless Threats have quickly become an assault to the senses, permeating corporate environments with ease. 

Intelligence and research analyst Wade Baker laments “the worse part about this new threat is that the data on their origins, behaviors, and motives is so scarce. Security hinges on knowing our enemy, but that’s impossible with Far Advanced Relentless Threats. They rise up from the bowels of who-knows-where and hit you like a ton of bricks so fast it can take your breath away.”

When asked about whether the analyst community is looking into this situation, industry analyst Josh Corman answers “Absolutely.” “As soon as the news broke wind of this new threat, we stuck our noses out to see what we could learn. It didn’t take long to catch a whiff of Far Advanced Relentless Threats affecting our own ranks. They hit Andrew Hay bad one day last week; it was nasty and it’s going to take some time to recover.”

Researchers are, at least, trying to better understand how they work. “Those who incorporate JavaBeans into their applications seem particularly vulnerable” says application security specialist Jeremiah Grossman. “Far Advanced Relentless Threats typically follow an attack pattern that results in a sudden and violent buffer overflow condition. Being on the receiving end of that kind of force really stinks.”

According to industry expert Christofer Hoff, one of the aspects of Far Advanced Relentless Threats that makes them so invasive is their ability to spread rapidly via the cloud. “They’re extremely efficient,” he says. “They are highly scalable, deploy quickly, and can also dissipate swiftly as though they were never there. By then, of course, the damage has already been done…and don’t even get me started on what this will mean for cropdusting and cloudbursting.”

“Some Far Advanced Relentless Threats trumpet their presence loudly, but it’s the silent ones that are truly deadly,” claims forensic investigator Andrew Valentine. “In most circumstances they leave no lasting evidence and studying those rare logs that are left behind hasn’t yielded much useful information regarding the identity and/or origin of these threats.”

Because of their stealthy tactics, some believe Far Advanced Relentless Threats are a bunch of hot air. But those who have experienced their awful reality first-hand know better. “It can really damage your reputation,” say Alex Hutton, “and that awful stain that may never wash away. When that happens, you might as well just go home; there’s no showing your face again in public after that.”

Not everyone is ready to surrender and go home, however. Chris Porter has put together a special unit known as the Far Advanced Relentless Threat Emergency Response Squad. “We can’t keep holding back and silently letting things go. It’s not the time to be timid; it’s go time. We’re gonna drop some bombs,” he says pointedly and confidently. 

Permalink | Leave a comment  »

By Bob Rudis (@hrbrmstr)

By now, most infosec folk have digested, opined on and come to loathe the EMC (RSA) SecurID breach story that broke on March 17. Their 8-K filing contains both the open (public) letter as well as the initial guidance provided to customers on steps they should take to ensure the CIA of their SecurID infrastructure. EMC released additional information on March 22, but no official communication has gone into any real detail as to the specific vectors of the attack save for a singular line:

"Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT)."

Despite that vague speculation ("led us to believe" is not "we confidently know") on the part of EMC, it seems that there are at least two vendors who know exactly what APT-style was used and how they can stop it. The problem is that they seem to disagree on which APT it was.

Vendor #1

For various reasons, I had to redact portions of this particular communication. I can attest to the authenticity of the e-mail, but you could argue that makes me about as trustworthy as a Comodo SSL certificate. Their e-mail came soon after the breach announcement, hence me putting them first. Here is what they claim to know what happened to EMC:

View image

You can read the full, redacted e-mail at your leisure. Thankfully, we already use their technology, so I can be confident I'm fully protected against the EMC-felling APT. (HTML6 really needs a <sarcasm> tag).

Vendor #2

Just as I was feeling smugly safe all weekend, I awoke to the following in e-mail today (as did many others):

I hadn't even had one ounce of caffeine yet, but was forced into immediately questioning my security posture and whether or not I was truly protected from these "APTs". Given the intensity of their message, these folks must have the inside scoop:

Quite the differing views on what happened and where I need to focus my protection efforts. Which one should I believe?

Who Protects Us From The Protectors?

Both vendors called out in this post seized on the opportunity to feast on the wounded carcass of a competitor who is a huge player in the IT security & compliance sector. Neither has helped me effectively communicate the real threat(s) to my stakeholders and neither has given me anything tangible to put into a roadmap for my security program. Even EMC itself caused a significant amount of churn in many organizations and has done it's own share of spreading Fear, Uncertainty and Doubt due to the sheer lack of information from their breach.

I am fully aware of how difficult the situation is for EMC and the fine line they need to walk in this situation. However, fueling the APT FUD machine was unnecessary and has only encouraged more speculation in the infosec community and seems to have brought out the worst in some other companies in this sector.

We need to make it clear to vendors that we won't stand for opportunistic scare tactics like this and we also need to continue to foster a community of sharing and open discourse between each other to keep the FUD under control.

Permalink | Leave a comment  »

As unlikely as it would be for the Wikileaks phenomenon to be uttered in proximity of FUD, our returning champion Chris Swan felt compelled to speak on the matter. Let's hope he doesn't get us DDoS'd (Wait. DDoS attacks are just FUD, right? We've lost track.)

by Chris Swan (@cpswan)

Firstly this isn’t a post about the rights or wrongs of Wikileaks itself. That’s been covered elsewhere in a more serious, thoughtful and funny way than I could ever do myself.

This is about Wikileaks being the new mother lode of FUD. It’s becoming the centre of the stories that security vendors tell customers to keep them scared at night.

I’m not going to link to the guilty. We all know who they are, and I could never be comprehensive enough. It would be like having just a few hundred examples out of a quarter of a million. We could point and laugh at one culprit without realising that an even more egregious example is just around the corner.

What I have to say here has its genesis in Andrew McAfee’s post a few days ago ‘Did WikiLeaks' "Cablegate" Result From Too Much Information Sharing?’. This is a problematic question, and seems to put information sharing (which is key to running a business or government) at odds with security (which is key to running a business or government) – what to do?

I made some comments on the post, which are worth repeating here:

The problem here wasn't classification. The material was correctly classified, and processed on the right systems.

The problem here wasn't clearance. Whoever did this almost certainly needed access to material of this protective marking.

As you rightly point out the problem isn't about sharing. The intelligence community (and military at large) have got better at sharing, and need to continue.

The problem is aggregation. This is a well known problem in the military/security community, and one that has changed dramatically in the digital era. It's bad enough if you have an entire aircraft, ship or tank filled with sensitive material on paper fall into enemy hands, but as we see here that's nothing compared to what you can get onto a thumb drive.

The massive fail appears to be that the monitoring systems didn't ring alarm bells when somebody was bulk downloading massive quantities of data. Quantities of data that couldn't possibly have been read by an individual (or even a large unit). This should be the focus of the fire drill that's surely going on right now. This isn't about horses or stable doors, this is about somebody driving a virtual semi-trailer out the gate and nobody noticing.

I’ve since had time to reflect on those comments...

I now very much doubt that the material was correctly classified. A lot of it is marked SECRET, and it’s worth having a quick reminder of its definition - "Secret" shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security. Arguably ‘serious damage’ hasn’t (yet) been caused, and hence QED the documents were incorrectly classified. It’s also worth mentioning here that the US seems to be stuck in an old world system of ‘classification’ where others (such as the UK) have moved on to a more refined concept of ‘protective marking’. In that system there’s a sub category for ‘Impact on foreign relations’ and at business impact level 3 we find ‘Cause embarrassment to Diplomatic relations’, which is where we seem to find ourselves.

Pointing the finger at aggregation is perhaps an oversimplification. Schneier is right that it’s really an access control issue – at least to the extent that you don’t get an inappropriate aggregation if you have the right access control. It would appear that the issue with SIPRNet is that there’s no effective compartmentalisation of material (as there would be on systems holding TOP SECRET) material. Of course we see this issue in business too. Cleared to see != need to know, and there’s often a specific need for compartmentalisation to create ethical boundaries (or their more politically incorrect cousins Chinese firewalls).

It’s at this point that the FUD toting security industry bandwagon rolls into town and says ‘my product/service can solve these (access control) issues’. We’ll be seeing a lot of DLP/ERM/IRM vendors doing this over the coming weeks and months. More so if Wikileaks move on from government to big business, as has been threatened. The problem is that this is total BS. I wrote some years ago about ‘the wrongs of enterprise rights management’ and spent a great deal of time socialising the issues with security vendors. Largely those issues have been ignored, and the vendors have continued to peddle solutions that are just as broken now as they were then. That’s because these are hard problems. Problems that require business commitment and human input. Problems that can’t be solved by a technology silver bullet. Of course the technology could get better at helping us with the organisational and people issues here, but it’s not a magic wand.

Perhaps some of the solutions out there could have helped with what happened on SIPRNet by creating workable compartmentalisation overlays, observing anomalous access patterns or preventing exfiltration. But that would be a question of scope and scale, and ‘cablegate’ may be unique in that. The real problem here is that there’s nothing technology can do about an authorised insider turning rogue and leaking a single critical piece of information, and that’s what we’re likely to see next – single smoking guns that cause real harm to businesses (and likely an ethical car crash for added PR impact). The FUDmeisters might claim that they can sell the solution to these problems, but I fear they can only solve much simpler issues.

Permalink | Leave a comment  »

This post comes from Peter Hesse. Peter knows a thing or two about SSL Certificates. With apologies, Peter submited this a while ago. The recent FireSheep hooplah triggered the SSL thought, which triggered this unrelated post. 

by Peter Hesse (@pmhesse)

Earlier this week, a phone call from a friend drove me to write this on twitter:

I then received a few followup messages on twitter, and ended up responding to an SSL vendor by email, which in turn inspired me to write this post.

As background, I have worked in/around/with public key infrastructure (PKI) for nearly my entire professional career. My first software development job was working on a certification authority reference model for NIST in 1996.

So, I know a thing or two about SSL certificates. For example, I know they cost far less to create and maintain than SSL vendors typically charge. There is no additional burden on the issuer between the different levels of certificates: the costs of hardware, hosting, audit, etc. are very similar between the types of certificates (perhaps excluding extended validation or EV certificates).

I can understand charging more based on the speed of issuance of the certificate, and the quality and depth of the validation performed to ensure the requestor works for the organization whose name will appear in the certificate. After all, you can usually only pick two of [faster | cheaper | better]. SSL certificate issuers are free to charge what they think people are willing to pay for certificates rather than trying to relate it to the actual cost of creation and management. That is their right, and it is my right to call them out when I feel the prices are ridiculous.

The "scam" of SSL certificates these days is that the sales representatives are being trained to use fear, uncertainty, and doubt to scare people into buying more expensive certificates than they need. The following is from a friend relaying his exchange with an SSL vendor: Sales rep stated our current certificate is hackable because it can go down to 40bit, explained that this makes us vulnerable. I argued 

"I only allow 128-bit at the server", and he said "yes, but since your cert is only 40 bit it can still be compromised; you need a server gated cryptography certificate."

If you know what you are doing (security wise) you will block all weak cryptographic ciphers at your web server. This may prevent older browsers from being able to connect to your site, but will ensure the cryptographic strength is always high. The sales representative was trying to scare my friend into thinking this wouldn't do the trick, which is patently false. The following link gives some good reasons why SGC certificates are a bad idea and don't solve the weak encryption problem. Even the wikipedia entry for SGC calls SGC certificates "obsolete" (and no, I didn't just go edit that entry to say that... as far as you know, anyway *evil-arched-eyebrows*).

The sales representative also continued the discussion to try and convince my friend that one certificate wasn't enough. In discussing his configuration, he revealed he has many back-end servers which all sit behind an SSL-offloading load balancing proxy. The sales representative tried to convince him that he would now need to buy a certificate for each of the back-end servers to afford him the best protection. So instead of needing one or two certificates, my friend was going to need twenty! Yes, I think we all know that defense in depth is important and he should indeed use SSL between his proxy and the back-end servers. Paying $50-$1500 each for browser-trusted SSL certificates on the back end is just a flat-out waste of money.

Self-signed certificates, or certificates generated by an in-house PKI would provide at least the same level of security at a far reduced cost. So, there you have it. Make sure you know what you need before you try to buy an SSL certificate. The sales representatives are willing and able to charge you whatever they can scare you into believing you need.

Permalink | Leave a comment  »

Now repeat poster, Ben, was chomping at the bit to be share his thoughts on (brace yourself) Cyber War. Further, he wanted it introduced with some AC/DC lyrics from "Thunderstruck". We at least thought we could go with "Let's have a war" by Fear (or A Perfect Circle) instead. Someone should update it for "Let's have a (cyber)war" sometime. With some level of protest... have at it.

...I was caught

In the middle of a railroad track (Thunder)

And I knew there was no turning back (Thunder)

My mind raced

And I thought what could I do (Thunder)

And I knew

There was no help, no help from you (Thunder)

Sound of the drums

Beatin' in my heart

The thunder of guns

Tore me apart

You've been - thunderstruck..

by Ben Tomhave (@falconsview)

I've been reading Richard Clarke's latest book, Cyber War, recently in an effort to delve deeper into the topic. Maybe it's been all the recent inflammatory rhetoric, or maybe it's an earnest interest, or maybe - just maybe - it comes from an innate interest in fighting obtuse uses and abuses of FUD.

The tone of the book initially is far less FUD-y than one might expect. Some of the tech details are clearly off a bit, but overall it's been surprisingly level-headed. Except for the scenarios. These are some of the most over-the-top scenarios I've seen since "digital Pearl Harbor" in 2000. However, in this case it gives me pause, and not just because of the glaring FUD factor.

What I wonder is this: just how much data and control must we lose before we stand up and start taking action? How much proprietary designs, plans, formulas, etc., must be compromised? How many SCADAsystems have to be pwnd? Is it really going to take a massive blackout before energy company execs wake up and smell the ozone?

Clarke asserts that foreign assets already have embedded attack tools ("logic bombs") into many, if not all, critical infrastructures. We've not done an adequate job of supply chain management, so consider that his assertion may, in fact, be fact-based and plausible. Now add factual assertions that massive research databases (academic, government, and corporate) have been copied wholesale by these same foreign assets. Accept this as fact, if you will, and not as FUD. How does this change your perspective on the topic?

The Case For FUD

Taking the previous examples as fact (as an example here - we can debate the depth of pwnage, but I think we can all agree that there are serious concerns here), there may be a valid case for FUDtastic scenarios like the ones Clarke uses in his book. The "digital Pearl Harbor" example of yore is nothing. He puts an interesting spin on it: what if there is reasonable upside to a foreign power to take down our critical infrastructure in a single, well-coordinated attack? What if our assumption of a "cold war" styled standoff (based largely on a belief in economic interdependency) isn't actually valid?

If anybody has attended Black Hat and DEFCON, then they should know definitively just how good the breakers are these days, and just how behind the curve most organizations really are. Pulling out a book like Clarke's can help drive home this point in a wonderfully FUDerific manner. "If you don't fix things NOW, then you will lose everything!!!" Or so it might go in your head. After all, there's nothing like a healthy dose of fear to motivate people. Or does it really work that way?

The Case Against FUD

There are a couple deficiencies with using FUD to make an argument. Excessive and continuous use of FUD can elevate the message to a state of background noise. It can also hurt your credibility. If every time you open your mouth FUD spews forth, then people will tune you out or avoid you. We in infosec - especially vendors - seem to be guilty of this historically, as evidenced by how hard it is to get the attention of execs.

Another problem is context. If everything is expressed as the highest of high risks, then how do you decide how to respond? If everything rates a 10 (on a 10-pt scale), then does that mean everything must be addressed immediately? How do you justify that?

Along these same lines, there's also typically a lack of adequate supporting data to justify the consistently hyped state. Where are the metrics and measurements? Have the risk factors been measured and ranked using a reliable method? FUD tends to not have these supporting structures, which further damages credibility.

"We're So Screwed"

This statement probable summarizes our situation today, at least from the U.S. perspective. How do we get this message across? If we have a high degree of credibility, and if we haven't abused the use of escalated rhetoric, and if we have some facts to back us up, then and only then can we whip out some FUD to make our point (of course, we could debate if this is really FUD, but I digress...). You have all thattoday, right? No? Uh oh. Now what?

This, I think, reflects our current situation. We are sorely in need of a breakthrough, too (SCADA owners - I'm looking at you!). One such step being taken is that DHS is now sending teams off to energy companies to help with security, but this seems unlikely to be sufficient. We have decent methods for modeling risk (e.g. FAIR). How do we take the next step? How do we get the message across in a meaningful way that spurs meaningful action?

What do you think?

Permalink | Leave a comment  »

Here at the Fudsec Summer Resort, we were chilling with our wine coolers in between rides on the tire-swing, enjoying the hottest part of summer with some time off, and then Jack Daniel (@jack_daniel) goes and writes a perfect FUD-related rant on his Uncommonsense Security Blog. Several people DM'd us and asked us to re-post. With Jack's kind permission, we've done so below. All hail Jack for a great analysis of some serious FUD

Someone has done some wildly successful social engineering. Amazing, actually. I am not talking about the "Robin Sage" social media/social engineering case where a lot of people who should know better gave up a lot of information in a lot of different ways. That may be interesting (we'll see when it is presented), but even though some of the results were sensitive, that is building on a lot of prior work.

I am talking about the coverage of that story, where the reporting has largely been horrible, gullible, naive crap. Sorry folks, but yes, that includes coverage from people I like. If you believe a lot of what you read, you would think that a lot of people were "duped" into following/friending/linking/whatevering Ms. Sage. This shows a gross lack of understanding of both social networking and the security community- both on the part of the journalists, and to a lesser extent, the researcher.

The people who "over-shared" really are a problem, and it may be interesting to see what Thomas Ryan (the person behind Robin Sage) presents at DefCon. It looks like s/he got a lot of sensitive information from people who should know better- three letter agencies, military, and more. Interesting, but "people are stupid and gullible" is not really ground-breaking, nor is mining/abusing social networking to prove this point a new idea either. It does sound like the scope and scale may be noteworthy. But not new, and being a skeptic, I'm not sure it is newsworthy.

Where things fall apart is the nonsense over stories which pretty much proclaim that MILLIONS OF SECURITY PROS DUPED, and point to the number of friends/links/etc. the virtually perky Ms. Sage gathered. I would like to point out four things:

1. Different people use social networks in different ways. Just because someone accepts your connection request does not mean they are fooled by you. They may not even care if you are real or fake.
   • Maybe they (sadly common) think that more connections means they are more important.
   • Maybe they are public figures of some kind, and accept most requests as a matter of policy. If people are careful with what information they share, there is nothing wrong with this. Nothing. It is voluntary, get over it. It is how Social Media and Social Networking work for many people. If you don't like this approach- don't use it.
   • The decision to accept may be based on connections offered (via friend-of-a-friend linking) instead of being based on the person making the request. Again, if you are cautious about what you share, there isn't a risk here- even if it is a pretty shallow move. Robin certainly had some interesting friends/links to entice people. Put another way: Some days, the wingman scores.
2. Once Robin Sage became fairly visible, the drama got interesting and a lot of people began following/linking to the myriad of Robin Sages (yes, there were clones and evil twins, too) just to watch the train wreck. I was one of these, and like many others I had my suspicions- but didn't care if she was real, fake, or just another troll, there was entertainment. People were not duped, they grabbed a beer and some popcorn and watched the show.
3. Robin Sage was called out. Spotted. Thoroughly outed. Many thought "something was fishy". Some people did actual research and provided real details. People had to connect/accept to do the research and confirm their suspicions. The press almost completely missed this critical point. They also missed the fact that once this was widely known, even more people connected to and followed Robin to watch the evolving train wreck mentioned in point 2.
4. Mr.. Ryan apparently convinced (socially engineered) much of the media into thinking this was something it wasn't, then and the result was not journalism, it was an embarrassment.

And this is just the worst of it this week. Half baked ideas, giant (and flawed) leaps of logic, obvious vendor spin, and more were on parade this week. Maybe it was the heat and no one could think clearly. Maybe it was Vacation from Healthy Skepticism Week and no one told me. I don't know, but I'm not happy about it.

Permalink | Leave a comment  »

For a year, Fudsec.com has brought you the finest FUD-bashing that money can buy, and many have asked us how they can post here (email us at the address below if you'd like to).

All too often, though, we've outed fear, uncertainty and doubt without thought to giving credit to those who toil thanklessly to create it.

We're out to change that.

Announcing the FUDdies® - the industry standard recognition of innovation and creativity in the prodution of FUD. After all, coming up with new ways to wrest legitimate budget dollars from security initiatives towards illegitimate boxes is no easy task. Join Fudsec.com as we honor those in the business of making this magic happen.

Face it, folks: there's tons of FUD out there, and even here on Fudsec there are few people being specifically called out for FUD. So let's bring it. Tell us who's doing it. Tell the community about it. 

We need your help to get these going. Email us your thoughts, your nominations, or anything else you think we should think about. Right now, there are two categories of FUDdie: FUDiest Campaign, and Most Unctuous Information Security Marketing Executive.

Voting is held by secret ballot at fudsec ( at ) gmail com  , and all results are reviewed by a top secret, anonymous committee whose decisions shall be final.

Prizes are coveted, genuine Reynolds-built aluminum foil caps, which look great and shield your brain from electromagnetic mind control carrier waves and beacons. The prizes will be announced at RSA 2011, which means we need help now.

Vote early! Vote with your heart! 

The Fudsec Team

Permalink | Leave a comment  »

Today's post comes from Ben Tomhave. Ben and others felt the Zalewski ZDNet piece was a bit of a "Blame or Frame Job" on our industry and was compelled to respond. Do you agree? You'll want to follow the links if you haven't already read them. Any post that starts with a Sin City reference is likely to be gritty.

by Ben Tomhave (@falconsview)

"I've been framed for murder and the cops are in on it. But the real enemy, the son of a bitch who killed the angel lying next to me, he's out there somewhere, out of sight, the big missing piece that'll give me the how and the why and a face and a name and a soul to send screaming into hell." ("Marv" in the movie Sin City)

I've read and reread (a couple times) the May 20th article "Security engineering: broken promises" by Michal Zalewski of Google (a guest post on ZDNet's "Zero Day" feature). I have to say, I find it highly disappointing and FUD-tastically frustrating. The bio at the end describes him as a "security researcher," which in my mind makes him a "breaker" more than a "fixer" (supported by the kinds of tools he's released). As such, we have to expect a degree of whining cynicism about how bad things are, but I would have at least hoped he'd have a little more clue before spreading FUD doom and gloom.

Framing Frameworks
"...for several decades, we have in essence completely failed to come up
with even the most rudimentary, usable frameworks for understanding and
assessing the security of modern software... The frustrating, jealously
guarded secret is that when it comes to actually enabling others to
develop secure systems, we deliver far less value than could be expected."

As a card-carrying member of OWASP, I find this statement to be ill-informed and suspicious. While it is true that we don't have mathematical models describing software security (to which he later alludes), it is completely false to say that we lack frameworks for understanding and assessing software security (which he never defines). There are lots of options to choose from, whether it be OpenSAMM, BSIMM/BSIMM2, or even the various efforts of groups like OWASP, ISECOM, or WASC. Let's also not forget efforts like Microsoft's SDL.

In terms of enabling others, this is not a security failure, it's a management and business failure. Many like to throw blame onto security teams for this situation, but everything ultimately comes down to the decision-makers and their needing to place proper emphasis on the need/requirement for writing secure code+apps.

Framing Risk Management
Now we get into some very FUD-erific territory...

"...[risk management] introduces a dangerous fallacy: that structured
inadequacy is almost as good as adequacy, and that underfunded security
efforts plus risk management are about as good as properly funded
security work."

and

"...security incidents are nearly certain, but out of thousands exposed
non-trivial resources, any resource could be used as an attack vector,
and none of them is likely to see a volume of events that would make
statistical analysis meaningful within the scope of the enterprise."

and

"...in information security, there is nothing contributed by healthy
assets to directly offset the impact of a compromise, and there is an
insufficient number of events to model their distribution with any
degree of certainty; plus, there is no way to reliably limit the maximum
per-incident loss incurred."

Wow, talk about cynical. First off, apparently risk management has no value. Second, risk management apparently detracts from security initiatives. Third, because there are potentially infinite threat vectors, the statistical analysis performed in risk assessment is pointless. All of this prattle belies a keen ignorance about risk management, and once again seems to suggest that software security failures are a result of something other than poor coding practices under the rule of security-disinterested business leaders.

More importantly, his risk management comments don't seem to have much of anything to do with risk management, but instead seem to be focused on risk assessment methods. He probably also thinks that qualitative risk assessment techniques are de rigueur. It never ceases to amaze me when criticism is launched from a place of ignorance.

Framing Unified Theories
As the piece progresses (or maybe it digresses), it seems that we finally start to see his true intentions as he talks about CWE and CVSS, saying: "Having said that, none of them yielded a grand theory of secure software yet - and I doubt such a framework is within sight." This comment finally reveals Zalewski's true intent or hope, and that is some sort of mystical silver bullet "grand theory of secure software." I thought this guy was a security researcher for the venerable GOOG? Anybody else's spidey sense tingling over the inanity of his comment here?

Of course, perhaps the biggest problem is Zalewski chafing at what is actually "good enough" from a software security perspective. Frameworks seem to be the preferred ideal du jour, but to what end, and with what backing? More importantly, to quote Amrit Williams:

"What we must learn to accept is that security – as it pertains to both
the development of software and its operational use – is ultimately more
survivable than we like to believe." (from "The Simple Elegance of Faith; When Good Enough Is")

Call me crazy, but it seems like Zalewski is framing infosec for the failing of business leaders, compounded by his own ignorance.

What do you think?

Also check out Jack Daniel's response ("A bit of deep thought.") as he links to several other replies as well.

Permalink | Leave a comment  »

This week's post comes from Eric Hanselman. Eric has an uncommon, common sense. Eric tried to leave Security two years ago after the RSA conference - bound for Virtualization-land. Alas, security pulls you back in and he was right back at RSA 2009. We always say "we'll do better at security the next time." "We'll bake security in." There were a lot of promises and claims made about how much better virtualization security would be. Here is sort of a "state of the union" from Eric.

by Eric Hanselman (@e_hanselman)

We’re heading in to a brave new world of desktop security and we need to do it with our eyes open.  There’s a lot of potential benefit that desktop virtualization can bring to an organization.  Like any new technology, though, there’s a lot of misunderstanding of the change in risk dynamics and how to deal with them.  In recent weeks there have been announcements and discussions that bear some analysis.

Hosted and Virtual desktops (HVD is the Gartner term) deliver awesome mitigation for data loss.  The desktop is back in the data center and the only the screen image makes it back to the user.  There are also all of these really great operational expense savings.  It’s easy to think that it resolves some of our biggest endpoint protection headaches.  There’s an air of irrational exuberance out there, that’s a little disturbing.

There are two big concerns:

·       Users think that desktops in datacenters are wicked safe.

·       Vendors aren’t disabusing them of this delusion.

At RSA this year, in two different virtualization security sessions, I heard attendees ask if anti-virus software was still needed with virtual desktops.  Lest you think that these were aberrations, industry analysts are posing the question, as well.

Forget about all of the Blue/Red Pill hysteria.  There’s a much more fundamental issue that we need to address.  Yes, the desktops are now in the datacenter, but there are still a whole set of security issues that have to be handled.  We’ve made a big jump forward with physical security.  It’s now a lot harder for random people to plug USB devices in to desktops or walk off with the thing that holds all that local data.  We’ve paid for this by turning every user in to a remote user.  Remote access security is something that we should have a good handle on, but now every user needs it.  IAM capabilities take a big step forward.

Securing the desktop is where real work still needs to be done and that falls to the traditional tools of endpoint defense.  The hitch is that our existing tools don’t play well with the virtual world.  For the security conscious, the virtual desktop gets built like the physical desktop.  Tried and true desktop suites can be managed in the virtual world alongside the physical desktops.  This works.

There’s a danger lurking here, if we don’t understand the impact in the virtual world.  There are a number of horror stories of a newly minted virtual installation being brought to its knees when every one of the virtual desktops was scheduled to do system scans at the same time.  Even if our suite supports flexible scheduling, those compute and I/O intensive tasks that worked so well when distributed across bunches of under-utilized systems are a huge load when brought back to a shared set of servers.

This is a problem that has many people considering turning off traditional protections.  A big difference between server and desktop virtualization is the concern about scale.  Running endpoint protection on virtual desktops reduces the number of desktops that can be hosted on a given set of hardware.  There are virtualization vendor claims that, by destroying each desktop after use, we eliminate infection.  This is the first vendor complicity issue.

What about all of that user data?  Aren’t there a lot of PDF’s full of APT’s out there?  Fortunately, virtualization can address a part of this.  But only part.

One big benefit of desktop virtualization is that I’ve got all of my users’ disks in the datacenter.  They’re available all of the time.  If I’ve got enough disk I/O capacity, I can scan all of those disks any time with minimal user impact.  I’ve also got the potential to remediate issues centrally.  A big win.  Some traditional AV vendors pitch this as their “virtual” solution today.

The piece that isn’t covered is execution monitoring.  The virtual environment still doesn’t have a way to keep tabs on live processes.  There are good signs, but they’re not complete.  VMware’s VMSafe opens memory pages for inspection, but, again, we’re back to static signature scans and advanced threats have proven that they’re pretty good at obfuscation.  And only VMware offers this today.  And only a few security vendors are doing anything with VMsafe.  This is a missed opportunity.

We now come to the recent announcement by Citrix and McAfee of their partnership for virtual desktop security, the MOVE platform.  This sounds like it’s going on the right direction.  It makes the agent functions more granular and allows processing to be split between the desktop and the virtual environment.

How will this fare when put under the scrutiny of the recently developed SCSOVLF metric?  Not well, unfortunately.  To begin with, it’s still a “concept” with delivery some months off. Details are still emerging, but the first stage seems to move some analysis parts to a separate VM and leans heavily on virtualization being a great way to improve configuration management.  Points off for relabeling something that we should have been doing already.

There is a second phase to MOVE, native hypervisor inspection.  My heart leapt!  Until I realized that it’s application  and process whitelisting.  This is desktop security, not server, right?  There are a lot people who’ve been burned out there by the twin issues of manageability and effectiveness for whitelisting.  It puts us right back to manually locking down users’ desktops.  While this is a step in the right direction, it comes with a high cost.  And more sophisticated threats already know how to beat it (DLL injection anyone?).

What we really need is endpoint protection that can rely on sophisticated techniques in the hypervisor.  Have per instance execution monitoring for the desktop, and leave the signature scans to a storage analysis piece.  And correlate the two, please.

And wouldn’t it be even better if, while providing virtual execution cycles, the virtualization layer was doing some effective protection, as well.  A guy can dream, right?

Permalink | Leave a comment  »

Interesting technical post by the super-smart Andy Ellis.

It may not obvious what this post may have to do with FUD. Some context may help. A position we've heard: DNSSEC and its benefits have been postponed for years by folks afraid that zone files would not be secret enough. NSEC was an attempt to add secrecy, but it cost the world three tries and associated delays to settle on NSEC3. Oh, and by the way, it doesn't solve the "issue" either. Was FUD a factor here delaying the move to DNSSEC?

By Andy Ellis (@CSOAndy)

NSEC3, or the "Hashed Authenticated Denial of Existence", is a DNSSEC specification to authenticate the NXDOMAIN response in DNS. To understand how we came to create it, and the secrecy issues around it, we have to understand why it was designed. As the industry moves to a rollout of DNSSEC, understanding the security goals of our various Designed Users helps us understand how we might improve on the security in the protocol through our own implementations.

About the Domain Name Service (DNS)

DNS is the protocol which converts mostly readable hostnames, like www.csoandy.com, into IP addresses (like 209.170.117.130). At its heart, a client (your desktop) is asking a server to provide that conversion. There are a lot of possible positive answers, which hopefully result in your computer finding its destination. But there are also some negative answers. The interesting answer here is the NXDOMAIN response, which tells your client that the hostname does not exist.

Secrecy in DNS

DNS requests and replies, by design, have no confidentiality: anyone can see any request and response. Further, there is no client authentication: if an answer is available to one client, it is available to all clients. The contents of a zone file (the list of host names in a domain) are rarely publicized, but a DNS server acts as a public oracle for the zone file; anyone can make continuous requests for hostnames until they reverse engineer the contents of the zone file. With one caveat: the attacker will never know that they are done, as there might exist hostname that they have not yet tried.

But that hasn't kept people from putting information that has some form of borderline secrecy into a zone file. Naming conventions in zone files might permit someone to easily map an intranet just looking at the hostnames. Host names might contain names of individuals. So there is a desire to at least keep the zone files from being trivially readable.

DNSSEC and authenticated denials

DNSSEC adds in one bit of security: the response from the server to the client is signed. Since a zone file is (usually) finite, this signing can take place offline: you sign the contents of the zone file whenever you modify them, and then hand out static results. Negative answers are harder: you can't presign them all, and signing is expensive enough that letting an adversary make you do arbitrary signings can lead to DoS attacks. And you have to authenticate denials, or an adversary could poison lookups with long-lived denials. Along came NSEC. NSEC permitted a denial response to cover an entire range (e.g., there are no hosts between wardialer.csoandy.com and www.csoandy.com). Unfortunately, this made it trivial to gather the contents of a zone: after you get one range, simply ask for the next alphabetical host (wwwa.csoandy.com) and learn what the next actual host is (andys-sekrit-ipad.csoandy.com). From a pre-computation standpoint, NSEC was great - there are the same number of NSEC signed responses in a zone as all other signatures - but from a secrecy standpoint, NSEC destroyed what little obscurity existed in DNS.

NSEC3

NSEC3 is the update to NSEC. Instead of providing a range in which there are no hostnames, a DNS server publishes a hashing function, and a signed range in which there are no valid hashes. This prevents an adversary from easily collecting the contents of the zone (as with NSEC), but does allow them to gather the size of the zone file (by making queries to find all of the unused hash ranges), and then conduct offline guessing at the contents of the zone files (as Dan Bernstein has been doing for a while). Enabling offline guessing makes a significant difference: with traditional DNS, an adversary must send an arbitrarily large number of queries (guesses) to a name server (making them possibly detectable); with NSEC, they must send as many queries as there are records; and with NSEC3, they must also send the same number of requests as there are records (with some computation to make the right guesses), and then can conduct all of their guessing offline. While NSEC3 is an improvement from NSEC, it still represents a small step down in zone file secrecy. This step is necessary from a defensive perspective, but it makes one wonder if this is the best solution: why do we still have the concept of semi-secret public DNS names? If we have a zone file we want to keep secret, we should authenticate requests before answering. But until then, at least we can make it harder for an adversary to determine the contents of a public zone.

"Best" practices in zone secrecy

• If you have a zone whose contents you want to keep obscure anyway, you should consider: Limiting access to the zone, likely by IP address.
• Use randomly generated record names, to make offline attacks such as Dan Bernstein's more difficult.
• Fill your zone with spurious answers, to send adversaries on wild goose chases.
• Instrument your IDS system to detect people trying to walk your zone file, and give them a different answer set than you give to legitimate users.

Jason Bau and John Mitchell, both of Stanford, have an even deeper dive into DNSSEC and NSEC3

Permalink | Leave a comment  »

If we look at the preferences and trends in the consumer electronics market, can we gain insights into IT security development and purchasing patterns? 

I subscribe to Wired magazine, but my teenage sons pilfer it before I have a chance to read it all. As such, it was only when I came across a news snippet about a Wired article in another magazine that I stopped to think about the security implications.

From worldmag.com: 

Robert Capps, writing in Wired, identifies a revolution that began with technology but is changing the way other industries, including law and medicine, are doing business. Capps calls it the 'Good Enough Revolution' and uses the Flip video camera to illustrate his point. Traditional video cameras emphasized image quality and features. A new company, Pure Digital, came along and saw a market for a low-cost video camera that was easy to use and produced video that was easy to share online. It sacrificed image quality for ease of use. The Flip Ultra is now the best-selling video camera and controls 17 percent of the market. Capps writes: 'We now favor flexibility over high fidelity, convenience over features, quick and dirty over slow and polished. Having it here and now is more important than having it perfect.

I recall the days when "hi-fi" was the objective. Sure, the market still recognizes differences in quality, but other factors seem much more important. As Capps points out, despite the availability of excellent medical technology, "good enough" is an emerging theme in healthcare. 

Permalink | Leave a comment  »

Since the founding of Fudsec we've looked to expose FUD, but until today it's been a little like Justice Stewart's definition of obscenity - I can't define it, but "I know it when I see it." In this week's invited post, information security and risk management consultant Gal Shpantzer blows the lid of that problem with the Shpantzer Coma Scale. We at the Fudsec Institute For FUD Studies are delighted that he could bring clarity and metrics to such an important topic - because if you can't measure it, you can't ... well, you know.

By Gal Shpantzer (@shpantzer)
When considering the veritable cornucopia of vendor offerings in the information security niche, you'll find a spectrum of quality in the products and services themselves, from the ridiculous to the incredibly useful and well-designed. You'll also find a wide variety of approaches to sales and marketing these very same products and services.

Some vendors are consistent and have good products as well as sales/marketing teams. This is a rare vendor indeed. Treasure them if you find them. The majority within the vendor space have either good products or good marketing. Then there are those with neither. Inconsistency breeds hilarity.

Please consider this friendly scoring system, inspired by a combination of the Glasgow Coma Scale, APGAR and some other medical scoring schema for survivability of trauma and disease. Note: We're carefully calibrating the rating system with an old Cray supercomputer in @rybolov's basement. YMMV)

Let's add up some points!

Vendor inappropriately uses absolute terms like "always" and "never" in order to delude the sucker, er, I mean prospect into thinking there's any certainty to be had in the security niche. Take one point off for every absolute term, starting at 5.

• Bottom score of -5 for FUD lameness.

Number of minutes from start of presentation until vendor uses the term "APT".

• +1 point for every minute past start. Max -5 points 
• Bonus 3 points for not mentioning it at all, unless prompted to.

If, when prompted to address APT, vendor says "oh yeah, we've been doing APT since before 9/11".

• -5 points

If, when asked, "How do you approach the APT issue, exactly?" they respond "That's on our roadmap".

• -5 points

Vendor claims to fully detect malware on your endpoint. The more certain the claim sounds, the more points you can take off, starting from 5.

• Bottom score of -5

Vendor has something that goes beyond a default OS build for its products: Starting at 0, add points for each aspect of security hardening credibly claimed.

• +1 point per feature, Max 5 points.

Vendor has credible claims to integrate with relevant third party applications and services.

• +1 point per feature, Max 5 points.

Vendor offers some level of choice in pricing model.

• +1 point per choice, Max 5 points

Vendor has recent history of catastrophic encryption implementation failures.

• -5 points

Vendor offers a 99% discount off retail pricing for year one software licensing. When pressed for total cost of ownership over 3 years, they reveal their plan to stick you with maintenance based on MSRP for years two and three.

• -5 points

Vendor offers some level of ability to update and upgrade the software they're selling.

• Max 5 points

Vendor actually responds to vulnerability reports in a way that remotely resembles something a reasonably responsible business would.

• +5 points

Vendors offers some level of centralized management of distributed product.

• Max 5 points

Vendor's central management of said distributed product causes DoS on your network.

• -5 points

Vendor has some sort of third party certifications for their crypto library and/or device as a system (FIPS 140-2, Common Criteria, UK gov't, German gov't, etc).

• Max 5 points

Vendor doesn't use proprietary encryption algorithms (yes, this is still being done, see Onix International and EncryptStick polymorphic…).

• +5 free points for using AES or other accepted algorithm.

Vendor has technical capability to deploy in a flexible manner, to suit your virtualization strategy, if relevant.

• +5 points

Vendor has real scalability in technical and pricing terms. Ask for references, don't just buy the canned demo.

• +5 points

Vendor has reasonable licensing terms that allow for configurations that serve different use cases.

• + 5 points

Vendor can integrate with two-factor authentication tokens/cards, at least for administrative interface.

• +5 points

Vendor is very negative and constantly disparages other competitors in their space.

• 0 points

Vendor is negative when disparaging obvious lamers like those who use polymorphic encryption.

• Max +3 points.

When asked about reference customers, vendor claims that the entire DoD and civilian government uses their products. When pressed for a confidential phone call, under NDA? "That's classified, but just between you and me, we're all over Langley and Ft. Meade."

• -25 points and a call to the FBI Counterintelligence office.

Vendor is an otherwise credible up-and-coming security player that has been around for more than a year and can legitimately support an enterprise customer, in theory.

• Max 5 points.

Vendor product does in the testing lab something close to what it says in the slideware.

• Max 5 points Bonus 3 points for having a reasonably responsive pre-sales engineer available via webex to help with a qualified bake-off.

Vendor is an otherwise credible security player that's been around for a while and has actual, reference-able enterprise customers.

• Max 5 points.

SCORE:

Negative Score: Bring back the pillory and the scarlet letter.

Under 30: Run, don't walk. Then keep running. Write a blog post to lower your blood pressure.

31-50: Ask for a webinar and have them explain polymorphic encryption to you.

51-70: Possible long-list candidate with value play

71-90: Probably gonna make it to shorlist for tech eval

91+: Might be able to deliver on the promise and not the peril

Permalink | Leave a comment  »

In mid-2009, after a flurry of Twitter activity on the subject, Craig Balding established Fudsec. He felt that, since Fear, Uncertainty and Doubt was permeating the world of information security, there should be a place where information security professionals could rebut it, could stake claims to intellectual honesty and begin conversations about issues of community interest.

"Fudsec," Craig wrote, "was created to showcase bad examples of Information Security marketing. Anytime the marketing message from an Information Security vendor or provider makes you feel Fear, Uncertainty, Doubt (FUD!)...or just plain dirty, let us know and we'll feature it here."

The Twitter effect was certainly responsible for the site's rapid growth, and by many measures the site has been a great success. Readership for each of the more than 30 posts to date has averaged several thousand, and the feedback generated has been highly positive. Each entry has a call to action. Not all posts draw comments on the site. All posts have sparked conversations - some highly charged, some in violent agreement, some in lively debate.

The list of contributors to date reads like a Who's Who of the information security world - in alphabetical order, posts have been contributed by Iftach Ian Amit, Paul Asadoorian, Balazs Attila-Mihaly, Richard Bejtlich, Carl Brooks, Anton Chuvakin, Justin Clarke, Joshua Corman, Rocky DeStefano, Drazen Drazic, David Etue, Will Gragido, Jeremiah Grossman, Brian Honan, Peter Kuper, Lori MacVittie, Haroon Meer, Ewout Meij, Chris Nickerson, Dale Pearson, Larry Pesce, George Reese, Wim Remes, Kevin Riggins, Chris John Riley, Mike Rothman, Nick Selby, Shrdlu, Jayson Street, Chris Swan, Vince Tuesday and Amrit Williams

Now Craig is passing the baton, curtailing his online activities to turn his attention to his growing family, and a new team will be running Fudsec - in Craig's words, "two of Fudsec's biggest fans and notable contributors." You can expect the same level of integrity as before, and the potential for some new debate, or even some new services. A podcast is not out of the question.

The Fudsec site will remain true to Craig's original and important vision: intellectual honesty, an open forum where the known and the not-so-well known can contribute to the conversation. Where voices from all continents and cultures will find an audience.

As he passed the torch, Craig passed on some thoughts about how the site should be continued. A small sample of what currently comprises our mission statement:

"We need to go beyond acknowledging the FUD elephant in the room. We need to exorcise the demon from within...or ultimately we will be "without". Fudsec is the place to initiate that. We don't claim sole rights on the FUD meme, but we built a launchpad and every week aim rockets at the collective infosec consciousness...A Fudsec piece without a call to action is an operating system without an application."

If you'd like to write for Fudsec, please let us know at fudsec[at] gmail [dot ] com.

Permalink | Leave a comment  »

Today our invited post is from David Etue, a vendor speaking about FUD in information security marketing. Yes, he has skin in the game and yes, he knows it. But his larger point is that when marketers point FUD at vendors in other markets, intellectual honesty and customer information is the victim.

By David Etue (Twitter: @djetue)

Disclosure: I am a marketing guy - a VP of Products and Markets at Fidelis Security Systems, a network security company addressing problems from cyber defense to DLP. That's my conflict, and now it's disclosed.

Sadly, FUD continues to evolve, and not in a positive way. As Anton Chuvakin has pointed out, FUD's role in security today probably overshadows the role of any other factor we know. However vendor's use of FUD is continually evolving, and has now reached what I determine to be its Third Wave: Fear, Uncertainty and Doubt against other solution categories. In order to understand the third wave, we'll first look back at what I consider the first and second wave.

The First Wave
The "first wave" of FUD is when vendors use fear, uncertainty and doubt to convince (well, scare) an organization to buying their security product. Rather than learning a customer's organization and explaining how the technology, along with people and process, benefits the customer's risk management program, this FUD involved targeted messages to the end user on how they will be hacked, fail an audit, lose their job, etc. if they don't purchase this product.

This first wave of FUD is still omnipresent today, but many consider it misdemeanor-level FUD as it's also the easiest to detect by the end user - it often overlaps with "silver bullet FUD" stating how the product solves both all information security problems, and maybe even world hunger too.

The Second Wave
The "second wave" of FUD targets competitors in the same sub-sector of a given industry; this is FUD-marketing attacking the competition to win the customer bake-off. Again, rather than competing the noble way and articulating how product differentiators affect customers cost of ownership and benefits their risk management program to gain selection, many resort to competitive FUD. There are few different types of second wave FUD:

• Bogus Requirements: This FUD consists of establishing criteria that have NO or LOW material mapping to how the organization would use the product and there for no benefit, yet will eliminate competitive solutions. My personal favorite examples are when organizations require esoteric templates, often compliance related, in the product with NO relevancy to their organization because one vendor has them and convinced them to include it in the specification.
• Bogus Features: I have a product management background so I often refer to these as "test cases", versus "use cases." These are typically extraneous, but can sometimes be intentionally malicious. The extraneous cases consist of creating an event that would never happen in the real world, modifying your product to cover it, and then convincing the end user it matters. A few years ago, I came across a great example of a more malicious example from a data leakage prevention (DLP) vendor, where they had modified their product (whether intentionally or unintentionally) to alert on a Social Security Number ending in "0000", which is not a valid SSN. The vendor then proceeded to provide the end user with a test file of SSN's ending in four zeros, and then claimed to be the only vendor to detect the file "correctly!"

The Third Wave
Unfortunately, we've gone past these to the "third wave" of FUD, where FUD is used to compete for a customer's mind-share versus other solution categories. Rather than using FUD as a compelling event (FUD wave one), or competitive FUD to gain selection (FUD wave two), vendors are now FUDing for mind share before projects even start! A great example of this is Gunter Ollmann of Damballa's blog post, Botnet Prevention with DLP Technologies.

I am pretty familiar with the DLP space, and I'm not aware of many cases of vendors using botnets, or even botnet FUD, as a primary selling point of a DLP solution. However, Gunter goes out of his way to try to make a point that he can't "see a reason for [DLP] existing as a separate security technology anyway."

As an aside, I'd recommend that Gunter choose his FUD more carefully in the future. Much of his "DLP doesn't do botnet" FUD could also be used to argue why a separate botnet appliance (like Damballa) shouldn't exist as a "separate security technology", as he makes a compelling argument that IPS, anti-spam and perimeter Web gateway help stop nodes from being infected over the network; anti-virus best deals with determining "malicious intent of the binary files"; and IP/Domain/URL blocking technologies are effective at blocking command and control.

Why is Gunter focusing Botnet FUD at DLP?
While botnets certainly may play a role in data exfiltration, Damballa's mission of protecting "businesses from bot-driven targeted attacks used for organized, online crime" and DLP's focus on content-aware data security are fairly different. I think the reason is that DLP is currently a funded market category with name-funded projects in the large enterprises that Damballa is interested in selling too.

These same enterprises don't have a named, "botnet detection" project or budget, so the battle for dollars and mind share has begun. He is not alone in this FUD, as many other vendors have joined this third wave of FUD with DLP alone. For example, Lancope announced their DLP solution that is soooooo good that it "not dependent upon packet-level data" (thanks to Rich Mogull of Securosis for calling out this FUD in his blog post Hit the Snooze on Lancope's Data Loss Alarms). There are many more examples across the security landscape.

So, how did we get to this third wave? I have a few ideas.

First, the security buyer is suffering from information overload. If we look across the security product landscape, Gartner has a taxonomy that defines 159 discrete security topics ranging from infrastructure protection to identity & access management to compliance, risk & governance. This overwhelming list of "solutions" is way too many categories for an end user to possibly navigate, let alone have in depth knowledge of how they would benefit their organization's risk management program.

Second, there is very little spending on new security projects, or new IT projects in general. According to the quarterly Citi CIO Survey for the fourth quarter of 2009 (by Richard Gardner and Aswin Shirviakar), the 80:20 rule applies to existing projects and maintenance versus new IT spending: "about 80% of IT spending over the next year is expected to be maintenance." This report also states that "security spending intentions remain high yet just stable." What does this mean? Any of the products within the Gartner 159 security categories which is not yet deployed is fighting for 20% of IT security spending, and the overall pie from which the 20% is derived isn't growing.

Finally, compliance spending continues to drive the majority of the spending in security dollars. The same Citi CIO survey cited before noted that government regulations were a significant driver of spending. As compliance regulations have become more prescriptive, this compliance-spending has become very focused on a small number of traditional (some may call legacy) security controls.

This report also states that "security spending intentions remain high yet just stable," so more and more solutions are fighting for budgets that are flat. Finally, compliance spending continues to drive the majority of the spending in security dollars. The Citi CIO survey also noted that government regulations were a significant driver of spending.

The Payment Card Industry Data Security Standard (PCI DSS) is a great example of this, as, as Josh Corman points out, it only explicitly requires nine security technologies (firewall; IDS; anti-virus; log management; encryption; vulnerability scanning; web application firewalls or application reviews; integrity monitoring; and patch management.) This leaves 150 of 159 Gartner sub-sectors of security - many with technologies solving significant challenges important to enterprises today - not required by compliance.

So, we have a confused buyer not able to keep up with the number of security product categories available, let alone the products within them. They may have little motivation to learn as budget pressures allow for few new projects, especially when 80% of the budget is spent on existing projects and maintenance. Top that off with compliance driving spending to a small number of legacy controls.

This leaves the remaining vendors thinking "If they have one discretionary project left, it MUST come to my project," and makes them incredibly focused on driving the small fraction of remaining budget to their solution. This is no excuse for the use of FUD, but is a sobering view of the state of the information security industry today.

Conclusion
Information security has reached a desperate time and some say desperate times call for desperate measures. However, these desperate measures should be to the benefit of the end user, not any single vendor. I would suggest that the presence of third order FUD is an indicator of the desperation of a solution to find its way in a crowded marketplace. This is a commentary on both the marketplace and the vendors who seek to use it. In a time when we all want to drive FUD down, adding a third wave should not be acceptable.

In the interest of continued disclosure, I remind you, I am a vendor. But am I wrong?

Which examples of third-wave FUD do you have?

Permalink | Leave a comment  »

This week we've invited Peter Kuper to comment. If you've ever met Peter, you won't be surprised that the topic of this week's post is the crisis amongst innovators. Thanks, Peter!

By Peter Kuper

Google made it entirely impossible for anyone to deny the harsh reality: We are pwned. The call for better security solutions has never been greater – it is headline news not in some geek blog, but the New York Times. We’re finally getting the attention the problem deserves! Any day now we should be seeing money raining down all over security as the brains would be getting endless calls from investors worldwide, the big tech providers creating a buying frenzy to snap up and rush the leading products to market and the new solutions and ideas would line up for long as far as the eye could see.

The reality is the exact opposite – the reality is the entire ecosystem for the innovative ideas to solve this undeniable problem is at a critical state: the money has left the building and likely ain’t coming back anytime soon. Venture Capitalists have run from security as the easy money returns showered on them from the Symantec’s and McAfee’s of the tech world let alone the IPO’s has all but disappeared. At a time when our economy needs the VC’s the most, they’re not willing or able to step up.

The latest data from VentureWire confirms these fears:

• - Venture-backed cyber-security start-ups secured just $626 million…in 2009, less than half the amount they raised in 2005
• Buyers are smaller, as are the targets - acquiring entities are mostly “rollups” meaning amassing a portfolio of technologies just for reselling purposes, not advancing the cause (or roadmaps for that matter)
• E.g., Barracuda Networks “made nine acquisitions since taking $40 million in financing from Sequoia Capital and Francisco Partners in 2006”.
• "There's a lot of great technologies that haven't gotten traction and people can't see how to profit from it, that are forced into a position to sell when normally they wouldn't be looking to (sell)," Dean Drako, CEO Barracuda Networks.

It is a simple cycle: The companies need to sell as the capital to sustain operations has largely evaporated – less sales, less funding leads to more distressed EOLs.

But the slippery (ugly) slope doesn’t end for us poor users there. Even worse, the large security and other technology providers that purchase the private companies with the better technologies are then, in most every case killing off the R&D and product road maps. The overall data shows the undeniable trend: Despite the over 388 deals completed by the top 10 tech companies, including 276 between 2005-2007, R&D levels declined. Where did the R&D go?

Source: Publicly reported data

Public companies acquired are no exception either; IBM paid $1.3 Billion for ISS and what has become of those technologies? More distressing perhaps is that the problem will linger as the VC’s aren’t stepping in to replace the nearly 400 companies wiped off the earth in the past 5 years. The main driver of this is the VC’s are looking at the exit valuations. According to the 451 Group, the returns for technology deals are simply lower.

Cooley Godward’s report captures the reality of VC’s risk aversion. Over the past four years, fewer early stage deals are being completed for later stage investments. Later stage rounds have increased to 39% in 2009 from 33% in 2006 – the gains came from the A rounds (30% in 2009 vs. 37% in 2006) as Series B stayed the same (30%).

Source: Cooley Godward Kronish

Who cares if the VC’s aren’t there?! They weren’t much help anyway some have cried. While that may be true in some cases, the dollars for R&D aren’t coming from the larger companies either. As Goldman Sachs illustrates in the table which follows, IT has historically been the largest R&D spender versus any other industry, yet it dropped by 6% in 2009 and is expected to increase just 3% this year.

And the even harsher reality is that VC’s and public vendors provide the lion’s share of research dollars.

So for now anyway we’re screwed. Of course, eventually the market, as it should, will find an answer. “SuperAngels” is fast becoming a recognized term as wealthy individuals and groups of such step in to fund Series A deals that are harder to fulfill in this environment. Boot-strapping is also returning to vogue which has some very useful residual effects. While growth might be hampered from a lack of resources, running a frugal ship from day one avoids the cash burn trap many startups fall into as well as retain higher ownership of the company. But given the overall saturated state of attack surfaces, something’s got to give if we hope to fight back let alone win, anytime soon.

Permalink | Leave a comment  »

Its Friday..which can only mean a torpedo of FUD comin' at ya.

Sometimes you read a blog post that really hits home.  This is one of them.  I asked Chris if I could repost it here and he was gracious enough to say 'Hell, yeah.  That's cool' (at this point, I pictured him whipping out the MOFO wallet...).

Chris is an experienced security practitioner by day and co-host of the Exotic Liability podcast by night (well worth a listen, just protect the children ;-)) and informal champion for the non-rock-stars in the infosec community (he wouldn't call himself this as he's too modest on this score).

Anyway, enjoy the post and tell us what you think in the comments.  Thanks Chris!

By Chris Nickerson

“GOD, grant me the serenity to accept people that will not secure their networks, the courage to face them when they blame me for their problems, and the wisdom go out drinkin’ afterwards!”

-A.P.Delchi

I am over it! I am over all of the BS. I am over all of the compliance posturing. I am over all of the “NEW AGE” High tech hipster ways to get a hold on a problem that is created “FOR THE PEOPLE BY THE PEOPLE.” I am over “We can’t.” I am over the cutting of the security budget to the bone. I am over having to use FUD to get attention. (Which is nothing more than promoting the stereotype of security professionals being cry baby premadonna’s.) I am over having to try and use corporate politics, back handed practice and overall impossible tactics just to create “something to REACT to.” I am just plain sick and tired of the loss of money, the incessant security breach headlines, the constant increase of security theater, and the train wreck life of a typical security posture.

Have you ever felt this way? Do you feel this way now? Are you “too tired” or “powerless” with regards to the security battle? Do you feel “under control, hands tied, and have an overall lack of drive.” Do you see a pattern?

./Big_Giant_Breath

These are the signs you would see in a person with an extreme addiction. Yep! Change the words and context around just a little bit and you have a classic addict. Its hard to choke down. I get it. It’s not conventional… I know. But, it’s real.

As with the history of alcohol and drug abuse, there have been decades of quick fixes. There has been millions of “get fixed quick” type programs. There have been high tech treatments and “silver bullet” pills that cure this horrible disease but none of them was/is a real solution. The reason for this is that fighting an addiction takes a lifetime of practice and will only end when you die. Until then, you will have to take it one day at a time and step by step. Around every corner will be a reason to slip back into your “old ways.” Sound familiar yet?

With all of these factors above sharing a frightening parallel and a quite common theme I think there is something to learn. I started thinking about this quite a long time ago when I was first exposed to the 12 step program. I was studying conjoint family therapy with the hopes that it would seriously up my Social Engineering game. I was taking the cross training approach to my career. I wanted to get into all of the classes, books, seminars and groups that were focused on “fixing” the bad behaviors of humans. I figured that by learning the fix I would better learn how to break them. Holy $h1T was I surprised. Here I am, sitting in the room, playing my role and absorbing as much as I could when it hit me. I am really screwed up. ( I know, shocking.. haha) Seriously though… I was able to identify things in my life what were superpower road blocks. Things that were so serious that I was sitting in the room, on the verge of tears and feeling completely helpless. A man named Stephen Young, who was teaching this class, came over to me and knew I was in a bad way. He knew this because under my supercool H4x0r exterior I was falling apart. He read my psychosomatic posture, he analyzed my every move and breath, he even was taking my pulse and temperature. This extraordinary man came up to me and put me on the spot. With his relentless pursuit of the truth and his unreasonable stance for my resolve he broke me in half. He exposed me. It took a long time. To me it felt like an eternity but in the end I opened up like a box that didn’t install the patch for MS08-067. From my session in this class I learned about something very important in my life. I learned the difference between being HELPLESS and being POWERLESS. On the surface this may be a no brainer or it may look like the 2 words can be interchanged. Underneath the hood of the human experience, this is one of the tipping points of eternal happiness. I won’t go into detail on the many facets of how humans treat themselves based on their perception of the situation or the vast and complex punishments we invoke on ourselves. You are a human, you have done it…. Like it or not… we all do. It is a common thread in our psychological makeup. Due to that fact, we all have a struggle with these powerless and helpless concepts. To set the record straight in the most raw definition of the words:

Powerless: Without POWER

This feeling comes with an overwhelming feeling of being weak. When we are powerless we do not have control. We are not the driver and we have no way to decide whether the car is going to crash into the wall or not. The brakes are out, the steering wheel is broken, and all the doors are locking you in. You are not without help or a solution, but you just have no real choice on what comes next (this concept took about 3 years for me to really get, so if it is confusing in this short burst… you are not alone!) When the car hits the wall… there is no reason to be mad… it was out of your control. What freedom. No reason to beat yourself up…. It was simply out of your hands at that very moment.

Helpless: Without HELP

Now, we really gotta dig in to where that puts us mentally. When you do not have power, you feel weak. You feel like you can not take on something alone. You feel abandoned and in a state where all is lost. The confusion here commonly comes from the target of your abandoned feeling. In you mind it means that you are alone and not equipped to handle the job. You don’t have the manpower to overcome the odds at hand. In reality you are abandoned. Not by other people. You abandon yourself. You punish yourself by making all these crazy meanings that you extrapolate from mounds of “evidence” to support your claim. You are not without friends. You are not without HELP. You are not alone at all. Your perception is your jail and its security controls are unable to be compromised (after all… you built em ;).

I know, I know you are saying..“ Geez hippie… hug a tree or something….” But this is an important thing to understand with relevance to InfoSec. Take those definitions above and apply them to your daily life. Apply them to your job. Apply them to all of the frustration that you had agreed with in the beginning of this post.

What did you find?

Well, because we are all humans, and because we all have a TON in common. We are all likely to experience the same feelings at some point or another. Maybe for you this is not the time.. Maybe this is the one… Regardless, it is a part of life. We have all been happy or sad, or indifferent. For this simple trend, we all have had common issues.

This brings us back to our fuzzy little InfoSec lives. The revolving world of compliance drives companies to scope and de scope assets like fashion trends. They inspire a momentary response which is more motivated by negative incent than anything else. Now, I am not saying compliance is bad or useless or whatever you make it. I am saying that the feeling that causes action still leaves you in that helpless state. It never addresses the human anchored problem that we all face. It never addresses the helpless feeling which overwhelms so much of the industry. Compliance has created amazing action and movement in InfoSec but it usually doesn’t provide a wholistic and cultural human change. It is kind of like taking an alcoholic and saying “Well, we will consider you recovered if you don’t drink Vodka any more. All of the other alcohol isn’t IN SCOPE.” This is just an insane statement but it is how I see many compliance programs dealt with. For this reason I started thinking about how addicts are treated. Sure, there are pills, programs, and fixes all over. There are Detox centers that claim to “Get you clean,” but all the successful ones have a common thread. They have a common goal and a common roadmap to get there.

This roadmap is called the “12 Step” program. It has stood the test of time as a repeatable and trend able mechanism for recovery. As I looked at the steps in depth from many perspectives I realized that this may be a good place for us to start our own recovery. We have a million ways to lock down an organization. We have more to implement and even more technologies to support it. What we don’t have is a real way to get started. We don’t own our own recovery, we usually act like it is forced upon us. Because of the lack of ownership, it allows us to “cheat” in our own program. It allows us to blame a scapegoat (whether that’s compliance or an infosec savvy employee). There is always someone else to blame and at the root of it, it is the reason we have rarely succeeded with our insecurity “recovery.”

Taking all of that into account, I decided to modify the steps just slightly to see if they would work to aid in our business recovery efforts. After a long hard look (and a few flights) I wanted to present this back out to the community to see what we could do with it.

12 Steps (of insecurity recovery)

1. We admitted we were powerless over security – that our environments had become unmanageable.

2. Came to believe that a power greater than ourselves could restore us to being secure

3. Made a decision to turn our will and our lives over to the care of best practice as we understand them.

4. Made a searching and fearless inventory of our environments and its assets, both information and physical.

5. Admitted to ourselves and those assisting us in our recovery the exact natures of our wrongs

6. Were entirely ready to have an independent assessment of our environment and accept the recommendations suggested to remove the flaws identified.

7. Humbly ask for help remediating our flaws.

8. Made a list of all the persons we ignored and became willing to make amends to them all

9. Made direct amends to such people wherever possible, except when to do so would injure the brand or the company.

10. Continue to take corporate inventory and when we were find flaws promptly admitted it

11. Sought through policy, process and procedure to improve our conscious understanding of best practices as we understand them and only for knowledge of his will for us and the power to carry that out

12. Having had a corporate awakening as the result of these steps, we tried to carry this message to other organizations and to practice these principles in all our affairs

I know that there is no silver bullet. There is no magic diet pill that will make me thin, healthy, and perfect. There are some things we can do about it. There are things we can accept in life and leverage the experience to live a life that is extraordinary. The quick fixes are rarely responsible for major breakthroughs.

The tech won’t save us. The regulations will never be good enough. The cloud won’t be the silver lining.

Sorry to say it, but security is hard work. It takes blood, sweat, tears and good ole fashion work to make headway. We can use the fads and toss around millions of dollars on a quick fix, or we can just get to work. Do you want to put in the work to admit you have a problem or do you want to continue blaming someone else for the problems? There is a way out. You have help. All you have to do, is take “The first step.”

Permalink | Leave a comment  »

This week, head hacker Dale Pearson digs into an area that we infosec guys and gals often give lip service too, but all too often fail to properly address.  Cheers mate!

By Dale Pearson

I have a problem; well maybe it’s more of an addiction. I just love gadgets and technology, if it beeps and has lots of flashing lights I just have to have it. I am sure a lot of you share my affliction - we are like magpies - we all like new shiny kit arriving at the door. Ok, so it’s a personal problem, but it’s a problem that exists in organisations also, and it’s a real problem.

In the world of business, organisations are constantly reminded of the threats and risks that exist, and the steps they need to take to reduce and eradicate these so called threats. So how do organisations spend their security budget? Well they spend a lot of money on little boxes that sit in huge racks, with lots of flashing lights and the occasional beeps. Sounds like heaven right. With all this firewalls, IDS, AV and filtering technology we have nothing to worry about, the virtual gates are tightly locked. 

It doesn’t stop there though; we need policies, procedure and governance to, so we have to spend a little money here as well. We need to tick those regulatory and legislative compliance tick boxes so we can get the nice certificate on the wall, and assure our customers that we are secure because we are compliant. The purse strings are tightening a little now, but we are jumping aboard the risk management framework train now, and this is a big deal, so we need some money for this. So now we are on the circular line of risk procrastination and unrealistic checklists, but it all sounds good and sets the right image to the outside world. 

Now there really is no money left in the kitty, but we need to carry out penetration testing and user awareness to keep our certificates on the wall. So we employ a team of penetration testers to run a vulnerability assessment on a small portion of our infrastructure. Now for user awareness training, a simple presentation we can rinse and repeat each year on the Intranet should do the job.

So lets quickly recap. 50% of the budget spent on infrastructure, 25% spent on compliance maintenance, 20% spent on risk management, 4% spent on penetration testing, and 1% on user awareness. Money well spent, and a secure environment has been achieved. Free publicity on the TV, Radio and the Newspapers when millions of customers records left the building via portable storage and boxes of paper….. priceless.

Companies say they take security seriously, and they know people are the weakest link, and they have training in place to cover this risk. I say FUD. They should hang their head in shame.

Here me when I say, you have personnel problems. I am not saying forget about all the shiny toys and flashing lights, but remember and invest if your wetware to. People are the weakest link. Humans are programmed to be helpful, not to question, challenge or be suspicious. We need to empower our personnel; they need to be regularly reminded of the risks, and the forms they take. They need procedures to follow to mitigate risks, reward them for following processes and challenging the unknown. This can't be done on the cheap with a presentation knocked up one weekend.

Just ask yourself how much the information that walks out the door is worth or when users give full access to the network via a Facebook application, or when offered the chance to win an iPod, and calculate how much you should really be investing in real awareness and education. Obviously the other components are important, we just need to readjust the allocation of funding to ensure adequate coverage for all area of vulnerability. Awareness and education needs to hit home at a personal level, and it needs to be realistic, effective, constantly maintained and reinforced. Security is everyone’s responsibility.

It’s not that simple I hear you cry. In order to get funds we need buy-in, we need to demonstrate ROI, and besides nothing has ever walked out our front door, we would have known.  If this is the case I encourage you to find the budget at least once for a no holes bared full on social engineering assessment, and I am confident you will be shocked at the results, and if done properly you should be on your way to starting your journey that gets the buy-in and the required ointment to your personnel problems.

There is no magic red pill that will cure the rash that is human stupidity, but through regularly monitoring and constant treatment, we can reduce the inflammation to an acceptable level, and allow us to go outside and face the world.

Permalink | Leave a comment  »

"Please nurse, can I haz some more?". Yes my long-suffering infosec brethren, it's fudsec Friday and time for your meds.

I love to learn new things... there, I've said it. I'm addicted to the latest technique, the new attack vector, the shiny exploit code that makes your dreams come true. A lot of us in security are. That's not always such a bad thing. I love the buzz you get when you do something you never thought possible. It's the best kind of high. Still, the first step in any cure, is to admit that you have a problem. As an industry, we have a problem. It's time we took a step back and really start to rectify the issues, instead of craving our next fix.

We all love the latest big thing. The thrill of a new idea, the chance to learn something new and different. For many of us in security, the chance to try something out for the first time is hard to pass up. After all, for the majority, this is the reason we got into security in the first place. The constant change, the new challenges and the ability to play with exciting things in the name of progress. We're like kids in a candystore. If you need proof of that, just consider the packed halls at Defcon, Blackhat and a hundred other "security" conferences that take place around the world every year. You can't help but see the ever growing demand for the "next big thing" in information security. I'll gladly admit, I'll be amongst the first reading the latest batch of white-papers to see what I can learn and use next time I'm testing a system. After all, this is why I moved into security to begin with... to have that constant growth and ongoing education that I felt network/server administration lacked. Still, lets keep to the point, because loss of focus is what got us here in the first place.

Where exactly do we expect this constant march of new and ingenious attack strategies to take us? Is there some mythical nirvana we can only reach after gathering up every zero day in Internet Explorer? Are we suddenly going to become secure once we find every possible way to crash Apache server? I don't think that day will be coming anytime soon. Still, that's not really the reason for this little rant... and yes it is a rant, no matter what I try and make of it.

Sometimes as security professionals we need to understand that the latest and greatest isn't always the norm. There are so many perfect examples out there to pick from. Whether it's Conficker, coming back again and again to top-up it's prescription, or the seemingly endless Hotel chain data breaches. The flaws are well known to us, and well advertised. Of course, there are always exceptions to the rule, and I'm not saying that zero day bugs aren't going to be exploited by attackers. Whether it's manually, or by worms, trojans, and all that come between. There will always be Companies worthy of targeted attacks after all. Still these are, as the name suggests, exceptions and not the day-to-day that we still seem to fall down on. As security professionals we can't hope to protect 100% against the unknown. Still, there's no such easy excuse for our general failure to protect and educate about the known?

Perhaps we should all spend a little less time thinking about the next amazing attack technique, and a little more time sitting with the application developers, network technicians, security guards, or even management. Don't you think your clients/customers/company would get more out of going back to basics and really understanding the vulnerabilities a little better, or do you think knowing the latest SSL rebinding attack/defense is more important than fixing the aging SQL Injection flaws in your website. It may not be the new hotness, but it's been more than 11 years since it was first discussed.

I'm not trying to say that ignoring the latest threats and vulnerabilities is the way to go. We need a balanced approach after all. Despite what some people say, defense-in-depth isn't dead yet. Just remember, that for the most part, our jobs are to protect against attackers. Whether you're patching things, finding the flaws in your systems, or responding to attacks. The focus should be on what attackers are doing now, with an eye on what they might do next. Some of the most widespread system infections have been caused by vulnerabilities that should have long been fixed. Take some time to look at the news headlines once in a while. SQL injection, weak or default passwords, misconfigured and un-patched systems, business logic failure and client-side exploits rule the roost.

Maybe I'm in the minority, but most security testing I do comes down to the same depressing flaws and vulnerabilities that have been known for years, in some form or another. How many of us who work as penetration testers, can honestly say that the latest technique was the key to breaking through defenses and gaining access. Of those who can honestly say yes, and I'm thinking that's not many, I'm willing to bet these are the companies getting it right. The companies doing the secure development life-cycle, doing the user and developer education, and most importantly, building security into every individual stage. From system and architectural design, through to change management and system maintenance.

I look forward to the time, when the only way to bypass defenses is to reach into that bag of tricks and pull out some new miracle pill. To me this is what penetration testing really is, and where I feel it serves it's core purpose. After all, there's little value in paying penetration testers to point out something that a 15 minute automated scan could tell you! You don't call an ambulance, if all you need is an aspirin.

Sometimes we forget what the real threats to our environment are. We start boarding up the windows and forget all about the side door we left ajar. If this were a zombie movie, we'd be the poor suckers getting blind-sided while searching behind the dresser for our stash.

Where are you going to focus your efforts today?

Permalink | Leave a comment  »

And as if by magic, a new fudsec post appears.  Having recently survived as a guest of Exotic Liability, I'd like to thank Iftach Ian for delivering our medication to us this week.

By Iftach Ian Amit

I’ve been intravenously fed with FUD for as long as I’ve been in the business.

The main strategy for understanding that you are facing FUD is to realize that there is a financial motivation behind the FUD-spreading entity. This has served me well over the years and managed to keep me out of trouble (i.e. buying/selling/liking any “you gotta have this!!!” technology).

I have to admit that when I started seeing what the media is doing to the term CyberWar, I was a bit baffled. What’s the motivation? It’s not like we can run to the local RadioShack and buy an Anti-CyberWar overpriced box of solutions for just $39.99 (not including annual license renewal of $99.99).

Nevertheless, as someone who likes security (yeah, I know... sorry...) and actually spends most of his time playing around with computers (my semi-formal job definition), I had to dig into this.

I decided to start off with my prior knowledge of CyberCrime (again - definitions aside, some say eCrime, some CyberCrime, some tomato...) to cover the more “traditional” attack vectors and risk surfaces. Armed with these, I wore my thinking hat and ventured back in history to re-inspect some of the cyberwar incidents of our past. The main incidents that brought the most media attention were Estonia and Georgia.

Estonia being dubbed the “first true cyberwar” in some publications (and by some “professionals”) turned out to be mostly civilian - meaning that there didn't seem to be a Kremlin general, high on Vodka, that marched his army of hackers into cyberspace to crush the Estonia internet!!! On the other hand, reality seemed much more familiar than expected - a couple of defacements from skiddies on the hacktivism side, and a fairly traditional DDoS using a botnet that - behold - is attributed to CyberCrime. Almost like someone was trying to push me back to my "place".

To be completely honest, there was a bit more to it. For anyone who is familiar with the RBN, you're probably are aware of the close ties it has with Russian authorities, that allow it to operate almost uninterrupted. The timing of the attacks, and the scale of it, indicate that either some hacktivists got a huge favor from a highly commercially inclined organization, or that some kind of quid-pro-quo between RBN and a Kremlin rep was in place to put a little pressure on the Estonian neighbors.

But from some greased hands that allow RBN to keep running aloof, to "the first true cyberwar" is a long haul...

The second example was the Georgia-Russia front. While getting somewhat less attention in the media, this was more closely a “CyberWar”, or an act of cyberwarfare, as it was closely coordinated with kinetic actions taken on the ground by Russian forces. Nevertheless, the same deniability factor plays well here - the main attack surface was the use of botnets operated primarily by CyberCriminal groups.

Interestingly enough - true cyberwar acts failed to truly make a media hit (look for the alleged bombing of the alleged nuclear plant in Syria by alleged Israeli F-16s... These allegedly did not show up on any radar screen. Not in Turkey, nor in Syria or Lebanon. Go figure :-) ).

But the real cherry on top has been APT! When I first heard that there was an APT and it was very malicious and scary I thought that there goes my favorite Linux distribution... Yeah - I’m such a sucker for the media :-(

Too bad that the latest APT (and that’s the last time you'll see this acronym written in this post) is just another FUD-happy name for - wait for it - TROJANS!!! Trojans, and rootkits, and keyloggers and viruses!!! Run for your lives...

Seriously now. Whether state sponsored (possible...) or just another highly targeted criminal attack on select organizations (seen it before, handling some on a daily basis, not calling it funny names...), we go back again to the FUD motivation.

According to the latest one (FUD that is), CyberWar is full of APT (broke my promise. deal with it), and it can only be protected by - you guessed it - AntiVirus! (or whatever new fancy names our beloved vendors find for the same software they have been pushing us in the last 20 years).

So cheer up!  The sky is not falling. It's just a little cloudy, and the usual bad people are still around doing their thing. The only difference is that you need to realize that ANYONE can hire these bad guys. Yes - even your government (or whatever shell company used to disguise it). Just like we are used to do with more conventional arms dealing.

Hope this was some food for thought. For more on the topic you can check out my past coverage of Cybercrime on my blog and the up-and-coming coverage of Cyber[Crime|War] connections in BlackHat EU.

Permalink | Leave a comment  »

This week, Will from Cassandra Security steps up on the Fudsec infosec catwalk for some aurorasomeness (sorry, couldn't resist).  I've got three words for you: data, data, data.  I'm done.  Thanks a lot Will!

By Will Gragido

The Danger of Allegations

Mob mentality is a scary and dangerous thing.  History has proven that time and time again.   Our industry is not immune to this.  In fact, in many respects, it is quite good at perpetuating the madness.   Understanding the interplay of fear, uncertainty and doubt within the cultural zeitgeist and attitude is not only important, but critical.  As a result, we must strive to prevent errant thought and irresponsibility within our profession and industry without sacrificing our ability to think critically.   Avoiding sensationalistic allegations pertaining to cyber-boogiemen—real or imagined, is of paramount importance in order that we not be perceived as a collective body of ‘chicken littles’.  Sensationalism is fine for carnivals and circuses, allegations the tabloids, but not an industry where the lines between logical and physical threats are blurring on an ever increasing level.  

Examples of Allegations in Recent History and Their Importance Influencing FUD in Matters of Information Security

Several powerful examples can be drawn from recent history that articulate and underscore this point.  Allegations are often made in the absence of comprehensive data.  Disturbing yes; unrealistic no.  With enough circumstantial evidence arguments can be made with respect to onus and responsibility for events of interest in almost all circumstances.  This is true whether one is speaking of fiduciary malfeasance, large scale cyber criminal cabals, state sponsored activity or what Aunt Sally said to Uncle Phil.  In some cases this is necessary misdirection; in other cases, it is simply irresponsible and Barnumesque.   Regardless, it is vitally important that a clear understanding of the word ‘allegedly’ exists in your lexicon in order to avoid pitfalls.  Understanding it will aid you in your daily and professional lives.  The word ‘allegedly’ can be defined in the following way:

•    A declaration made that cannot be proven or substantiated; a claim with questionable supporting evidence.  

The ‘Aurora’, attacks or ‘Operation Aurora’ (named by Dmitry Alperovitch of McAfee) of recent history are excellent examples of the power of allegation wielded in the absence of irrefutable evidence.   Beginning in mid-December 2009 this event of interest colloquially referred to as ‘operation aurora’ took on a life of its own.  The first to publicly (and this is important folks) address and speak about it was Google (blog post made in mid-January).  It should be noted that Google stated that the attack ‘originated’ in China  and that though U.S. Secretary of State, Hillary Clinton issued a brief statement condemning the attacks and requesting a response from China, neither she nor Google blamed the Chinese Government nor accused them of being responsible.  That is of paramount importance.  Why?  In part because there was not sufficient evidence to suggest or warrant such allegations yet sensationalism (and the media momentum associated with it), built like a tsunami.  Over time the attack was said to have targeted several organizations including but not limited to:

•    Adobe
•    Juniper Networks
•    Rackspace
•    Yahoo!, Inc.
•    Symantec, Inc.
•    Northrop-Grumman
•    DOW Chemical

Researchers the world over exhaustively poured over the Microsoft IE zero day vulnerability used in the compromise  in order to analyze and assess the possibility of derivative exploitation .  Commentary on the levels of sophistication ranged from ‘very’, to more ‘elementary’.  Media figures, industry pundits and people the world over who previously assumed that concepts such as advanced persistent threats and subversive multi-vector threats (the author is of the opinion that these threats are absolutely real but that they are non-trivial in terms of architectural intent), were the stuff of which the cyber-boogeyman were made of, began changing their tunes.  Unbridled allegations and assertions were being made even in light of the fact that on almost a day-to-day basis more information was coming to the surface.  Onus and responsibility were shifted away from the Chinese Government and re-focused on two universities within China.   Some argued that this could be a cleverly devised diversionary tactic of the Chinese while others entertained other, equally and, in my humble opinion, plausible explanations having to do with China being effectively ‘framed’ for this event of interest.

Wake Me When It’s Over: Reality Checks in the Midst of Chaos 

The reality is that without careful intelligence gathering, application of analytics and thorough vetting out of data, we are left to speculate, arrive at best guesses and thusly produce statements which include – for better or worse allegations.  Put another way, unless we have a need to know (and there is something to know), we most often don’t know what we don’t know.  We need to understand as information security professionals that there is a danger in mad speculation.  It more often leads to a state of imbalance rather than control. We must think more clearly so as to avoid mistakes from extraction could prove difficult at best.  China is an easy target.  We do know they are active in the proliferation of cyber-warfare tactics, methodologies and strategy, however we must be careful to avoid throwing the baby out with the bath water so as to avoid finding ourselves being the accused as opposed to the accuser. 

Closing Thoughts

The world and our interactions within it are changing; as such, the ability to approach these challenges dynamically while presenting the appropriate mindset is critical.  The ability to think and consider things in an asymmetric fashion in a symmetric world is of the utmost importance and influences non-repudiation greatly.

1. The threats are real, but we need to assess the data carefully and in a manner not driven by hysteria
2. In the absence of irrefutable proof, we risk much when we make allegations; we need to be careful
3. As a colleague of mine Josh Corman and I were discussing this, it occurred that we always will lack 100% irrefutable proof but that we must make decisions for the greater good predicated on the best intelligence we have at the time
4. As a result we must be more highly attuned to FUD and its impact on tactical and strategic information security as it is easy to be misled

Your thoughts?

Permalink | Leave a comment  »