A piece about security certifications caught my eye this morning. Now, I'm not a huge fan of certifications or anything (notice how there are no letters after my name,) but what bothers me about this article is the fact that there is plenty of discussion about what makes a good "security pro" but absolutely no discussion about requirements for what the "pro" needs to *do* for the company hiring them. It's the same attitude taken when bringing a product in without considering the business requirements. What do I mean by this? I mean that just like there are no "good products" without asking "good for what", there is no such thing as a "good security pro" without asking "good at what".
For example, Joel Snyder says that to be a security pro, "You need to be comfortable driving the big three firewalls from Cisco, Check Point and Juniper.'' Oh yeah? I do? I've been doing security for a decade, and I've never seen a PIX console in my life; I'm sure it's all impressive and stuff, but it's just never come up in the course of doing my job. Same with Firewall One and whatever the hell Juniper's firewall is called. And driving it? I've just as much clue how to drive that than I do an oceanliner. Do I have to know how firewalls work if I'm going to work with cryptography, forensics, auditing, penetration testing, application security, etc, etc? Joel seems to think so. Maybe I'm just jealous of the folks like Joel with the 'r3e7 (|-|3cKp01n7 sKil1z, but it seems to me that there's more to working in security than just working with firewalls.
You've probably already heard my rant about the Amir Herzberg "Unprotected Login Hall of Shame". However, in the interests of getting my due props, I would like to point out the recent statistics by NetCraft citing that SSL use on back logon forms is on the decrease.
For those of you that missed my ramblings on this, here's a quick ramp-up: the "Unprotected Login Hall of Shame" is a list of sites that don't use SSL on the logon form - not the logon submission mind you - just the form. Apparently, many banks are in the "this isn't a problem" foxhole right next to yours truly.
Some really good research on heap overflows in Windows. Useful reading material - this paper is short and to the point.
Remember Oracle's marketing campaign about how their software was "unbreakable"? Oracle has since back-peddled hard on saying things like "hackers can't break in" and "can't break it; can't break in" since they are demonstrably untrue, but one would think that a company making such claims would have security (and hence product patches) high on the priority list. Apparently not so for Oracle.
The situation for Oracle users gets continually worse; if you were worried about the fact that Oracle was hanging you out to dry by delivering patches on a "glacial" pace, you can probably take comfort in the fact that new research demonstrates that even if you were to keep up with the patches, that you probably wouldn't be protected anyway. Mary Ann, Oracle's CSO, has made the claim that it's really the researchers who are to blame for bad product security but I'm doubting that even Mary Ann can get that to fly in this case. I guess the argument could be made that it was researchers who noticed that the Oracle patching didn't work, but all in all, I think it was Oracle that dropped the ball on this one.
Maybe a new campaign from Oracle: "Unpatchable"?
A colleague of mine, transplanted from Venzuela, told me once about a saying of his homeland: loosely translated, it states, "there's nothing more dangerous than an idiot with initiative." Nothing exemplifies the truthfulness of this saying than the fact that one of the most esteemed security researchers of our time was denied entry to the US to present her findings.
That's one way to read it. Of course, maybe the DHS knows something that we don't: maybe Dr. Wang is really a terrorist disguised as a groundbreaking security researcher. Maybe in reality, she's an extremist whose innovative approach is to gain our trust by increasing the security of computer systems worldwide. Maybe after gaining our trust through subterfuge, she will part with the ruse, lace her houndstooth jacket with TNT, and blow up a subway. oooo... oooo... I got it - maybe her plan is to fill her research with subliminal anti-American messages and thus undermine the very foundation of the United States' mathematical community's confidence in our way of life. If you listen, you can just make out her maniacal laughter in the background (mwah hah hah hah hah hah.) Or DHS could just have made yet another public flub. Could go either way in my opinion.
Either way, the DHS is to be thanked: either by US citizens for stopping the insidious plot of the sinister Dr. Wang and her cronies, or by terrorits worldwide for continuing to ensure that the security of the United States remains below par.
Zotob, zotob, zotob... Once again, a malicious worm is running amok amongst enterprises everywhere - leaving endlessly rebooting systems in its wake. As with previous worms, a fully patched system is completely "immune." However, before we all start putting up pikes topped with the skulls of our IT administration personnel, consider the fact that this time, administrators had less than 3 business days to apply the patch before the storm started.
We've known for some time that the window between patch release and worm release is narrowing; that window has now become so small that developing a manual patching process that fits the time window is improbable. In this case, the -only- systems that are likely to be patched are the ones that applied the patch without any formal testing (such as those using the "auto-update" capability of MSFT operating systems.) In general, most enterprises try to ensure that any changes to production systems (servers, corporate desktops, etc.) are managed and tested before release; this attempts to keep downtime to a minimum by making sure that critical applications work just as well after the patch as before it. In this situation, enterprises that did that, that tried to ensure application uptime by moving patches through a formal process, were left with their pants down and are currently enjoying the "festival of pain" that is zotob.
I posit that there is a threshold where the amount of downtime associated with testing patches will exceed the amount of downtime associated with applying them without testing. Some might say this is heretical, but think about it: when was the last time that anything more than a minor inconvenience was caused by applying an OS patch to a production system? Not a huge number, right? Oh sure, for some legacy systems the incidence of patch-conflict is likely to be higher. However, maybe it's time to consider a phased approach - maybe if non-critical systems (e.g. corporate desktops) use an automated patching methodology like the MS auto-update functionality and only do the full testing for systems that are semi-stable or otherwise "touchy." Just something to chew on.
*** Updated: Sorry about the spelling in the previous iteration of this; should be fixed now. :-) ***
OK - I was patient at first; I was even interested for a day or so in this whole debacle. But now, 600+ news stories later (626 as of the current count), I am officially sick of seeing either the name "Lynn" or the word "Cisco" in the security media. I don't include ISS in the list, because I was already sick of them before this whole mess started.
My question is: why do we keep talking about this? I mean, what's new here? Is it that Cisco is more interested in their PR more than the security of IOS? Oooooo... the shock value! (Not.) Is it the staggering revelation that ISS cares more about catching the crumbs from Cisco's plate than about courting hacker cred? Well, kiss my grits!
The bottom line is that both Cisco and ISS are publicly-traded *for profit* corporations. Meaning, their goal is to make money. And, the unfortunate truth is: without the debacle, Cisco would have made more money if Mike's message was stifled. Period. If they could have gotten away with it, that is. This is a lesson from the history books - it's why we have full-disclosure in the first place. Why does this story make it new?
What about ISS? Again, we've already learned that lesson too. Specifically, when it's profit vs. one employee (or ex employee), the employee loses. Seriously - how much business do you suppose having a relationship with Cisco brings them? Weigh that against the amount of dollars brought in by the hacking community. On the one hand you have a multi-billion dollar corporation and on the other hand you have the legion of the vinyl-clad disenfranchised. If @stake (ISS's evil twin) is willing to fire Dan Geer because Microsoft dislikes the nature of his research, why do we think ISS would "kid glove" Mike Lynn when Cisco is out for blood? Nope, not a surprise.
So why does the festival continue? I do think there is one thing that we can learn - that the associated bad PR with trying to "gag" vulnerability research is worse than the bad PR associated with having a vulnerability (in "for-profit" terms: it costs more money to stifle than to fix.) That's a useful lesson.
Ever quick to "throw the first stone", the DHS (Department of Homeland Security) has gone on record to chastise the private sector for lax security. Am I alone in thinking WTF here?
I mean, really. The DHS got slammed by the GAO for achieving "no significant results" in any of their 13 main duties; they achieved "failing results" for protection of their own systems in the same report.
And it's not just the GAO; they've also been slammed publicly by congress - it's been a "bipartisan groin-kicking" over there.
To quote Senator Liebermann (a democrat): “How can the department possibly protect the nation’s critical cyberstructure if it cannot keep its own house in order? More than two years after the department was formed, it should have a better grasp on protecting its own systems and information.” Or to quote Senator Coburn (a republican), "The government's plan to secure our vital infrastructures from a cyber threat remains vague…despite clear legislative and executive mandates."
Wow. Do you get the impression that the DHS chastising the private sector is kind of like Courtney Love telling kids to "just say no?" I mean, you hear them say it, and you try to find the "twinkle in their eye" or the coming wink that will acknowledge it as a joke.
New York state law A.4254 hits the books today. This is good news considering that quite a few nay-sayers were starting to question SB.1386 after CardSystems and given that there was murmuring in the peanut gallery about modifying it. Props to Potaki for signing this, and thanks to ASB for passing the information along.
MS HoneyMonkeys. Cool idea, good execution, valuable results. Maybe I'm wrong on this one, but it seems to me that Microsoft is the only vendor with a plan for catching zero-day vulnerabilities; not to mention the fact that it's actually paying off.
So... Oracle, Sun, Netscape... What was that mantra again about how MSFT was the bane of information security? I'm not biased, just keeping my eyes open.
A link to a web-poll concerning the Lynn discussion went across the webappsec mailing list this morning (https://www.threatsandcountermeasures.com/). So far, 90+ % of respondants think Cisco v. Lynn is the most eggregious case of big guy vs. little guy since David v. Goliath. Not that this is the most representative sample, since webappsec is probably... um... skewed.
Illuminata writing on CDP (Continuous Data Protection.) I would highly encourage infosec practitioners, particularly in financial services (regulatory), to check out this article if they have not done so already.
BTW, Illuminata (in case you are curious) is the perfect passive neuter plural nominative participle of "to illuminate" (illumino). So, "things that have been illuminated." Clever name for an analyst firm, IMHO.
My apologies for the gap in the blog entries. I've been very busy of late. However, this sufficiently raised my ire for me to comment.
Mary Ann Davidson, Chief Security Officer for Oracle has written a piece on how vulnerability researchers are the real problem with respect to software bugs. Mary Ann outlines the three things that get her goat about vulnerability researchers; they are (to paraphrase):
1) Researchers who expect the problem to get fixed faster than the vendor can get it done
2) Researchers who want noteriety
3) Researchers who want credit for finding a flaw
I'm upset by this article for two reasons. First of all, while Mary Ann nods to the fact that there are different types of researchers, I think she does not do enough to segregate.
She says she thanks the "researchers who are after the public good" but I think that such a researcher is not incompatable with her list. For example, a researcher interested in the "public good" might feel that the Oracle "two year" fix turnaround window (actually 700 days in the case I'm referring to) is a mite too long; I think most of us would agree. In addition, it seems to me that media coverage (press) associated with finding a flaw is good advertising - why is it wrong for a researcher to seek after press and it's OK for Oracle to advertise thier doings (such as by having the CSO write a piece for news.com)?
All in all, I think folks reading this piece should keep in mind the fact that Mary Ann might just be a little bit biased here... I'm not saying it's right for "researchers" to disclose without contacting the vendor or to try to extort a vendor - however, it seems to me that best way for vendors to alleviate this problem isn't by complaining about it in the press; it's by reducing the number of issues inherent in the products they ship. Just my two cents...