Security Curve Weblog

Thoughts about Tragedy and Cyber Hype

First off, my apologies for being slow on the blogging the past week or so - it's that time of year when work is at it's maximum volume, and free minutes are few and precious; the blog - along with my personal grooming - have suffered because of it. In any event, this morning, as I sit in a hotel in upstate New York, I came across an article describing a report by the Business Roundtable that describes how we are all metaphorically sitting around with our pants down waiting for the inevitable "Cyber Katrina." The watchword from this thinkitank is apparently preparedness - like the boyscouts, we should all be prepared for the fact that any minute now, a digital weathersystem could move in, burst our various levies and leave us homeless... or so they say.

The idea of a "Cyber Katrina" was what really struck me; for years, we've been hearing about a Cyber Pearl Harbor, a Cyber 9/11, or a Cyber Tsunami - insert the most recent newsworthy disaster and slap a "cyber" in front of it, and experts have been telling us that it's going to happen for the past ten years. Which got me thinking - how likely is this really? Nobody seems to really question this concept, but yet the Internet has been around for a while now, and we have yet to see a disaster materialize. Have we just been lucky? I don't think so.

Instead, I think the metaphor is inapplicable. I think the press (and us as readers) should stop participating in the FUD-mongery by eschewing articles telling us this kind of thing is unavoidable. Look, disasters on the Internet are different from disasters in the physical world. Aside from the fact that nobody dies because they can't run Solitare for a few days, the kind of damage these events cause renders the metaphor inapplicable. The worst of worms we've seen to date like the Morris worm, Code Red, and SQL Slammer that shut down double-digit percentages of the Internet have damages listed in millions of dollars just like a physical disaster. But the kind of damage is different - worms and other outages cause damage mostly in loss of productivity, whereas Katrina caused millions/billions of dollars in property damage. Not the same thing: if houses and other buidlings are washed away, it takes years to rebuild; if machines are disabled, you just reboot and reinstall. in one case, business stops because workers are in the hospital or can't get to the office - in the other case, you might need to reload some data from backup tapes. Sounds totally different to me...

So, I am asking for a moritorium from the "digital --insert-disaster-here--" crowd. It won't happen, it can't happen, so please stop hyping it up.

Thoughts about SCADA

The Register has a thing this morning about full disclosure as it relates to SCADA networks; it made for interesting reading, and I highly recommend checking it out. Basically, they point out a few things about industrial networks that many of us have suspected all along: specifically, that vendors in that sector aren't interested in fixing flaws in their products and that clients aren't that interested in getting fixes from their vendors. Check it out:

"The vendors were sticking together saying that (researchers) didn't need to be involved with SCADA flaws," he said. "'It puts people and infrastructure in danger,' they said." Moreover, many vendors did not appreciate the involvement of the US Computer Emergency Readiness Team (US-CERT), the nation's response group tasked with managing the process of vulnerability remediation for critical infrastructure..."

They believe that fixing vulnerabilities "puts people in danger." Fixing bugs is dangerous? Maybe it's their attitude that's dangerous; folks working within an industrial context who claim they don't have to worry about finding or fixing vulnerabilities because of the fact that control networks are "closed off" (segregated) from other networks have a few things to learn about human nature... You see, while the intent might be that these networks stay closed off from each other, human nature dictates that they not stay that way. There are all sort of reasons why individuals within a firm might wish to allow connectivity between their control network and their corporate intranet; maybe they want to allow data collection from a host on the intranet or maybe they want remote administration capability - there is all sort of incentive to allow this connectivity to take place. With enough incentive, human nature will find a way to make it happen - in fact having worked on engagements within this sector, I can testify that connections outside the control network happen. Of course, physical security isn't always where it needs to be at some of these places either...

So here's what I'm thinking... are we ready to bet the farm on the fact that these networks aren't connected? Or maybe should we think about trying to fix some of the issues that these industrial vendors seem so unwilling to acknowledge? In this area where the consequnces of poor security are loss of life and loss of critical infrastructure, it seems to me that these vendors should get over themselves and work to make the environment as safe as possible - it seems to me that sticking your head in the ground and refusing to work with CERT or researchers is counterproductive...

Platinum Sponsorship? Gimme a break...

So, after all that fuss, Cisco's gonna be a Platinum BlackHat sponsor?! Ummm... Yeah. How easy is that to see through? Clearly, last year's debacle cost Cisco quite a bit in the court of public opinion and this year they want to take the opportunity to try to repair their image. Well I, for one, am not buying it.

Microsoft Makes Outragous Claims Like They Invented the Question Mark

I have to admit it - I'm totally ashamed. Apparently, behind my sleeping back, our droog Bob Muglia over at Microsoft (huge picture of his head here) announced on Sunday that Microsoft's Vista operating system is the most secure platform on the planet. Wow. Now, those of you who follow this blog know that I'm forever criticizing Apple and Oracle when they stand up and make statements like this; it's my opinion that getting up on a soapbox like this opens up attacker interest. However, being that Microsoft is "Target #1" already, you'd think that they would have learned a lesson or two about why this isn't a good idea. But apparently not.

Look, this kind of statement - aside from being false - is dangerous. We know it's false because we know that this operating system can't be the most secure ever, and it's dangerous because it sets up anybody who believes the statement for an unexpected surprise when it turns out not to be true. Look, to disprove a universal statement like this one, all you need to do is find one case of untruth and you know the statement is false; to disprove that Vista is the most secure OS ever, all we need to do is find just one other OS that is more secure. And if we (as most folks do) define "security" as "likelihood of being compromised", wouldn't an OS that was developed before networking technology be less likely to be comprimised than Vista? Or one that works inside non-networked embedded devices? How about incredibly small special purpose operating systems like VxWorks (used in the Mars rover) - would that be more secure? So what is Microsoft doing this? From a PR perspective, it's a terrible idea because they'll just have to eat their words later. From a technical perspective, surely the folks at MSFT recognize that this isn't the case... What's the dealio over there?

In terms of the logic that he used to make the statement in question, Bob backs up his chest-beating growl of machismo by citing how Microsoft's Vista is the first operating system developed under their new full security regimin; he also points out the services offered within Vista like Windows Defender and kernel-level protection against rootkits. So, apparently we can all rest easy because Microsoft has us covered... Um, yeah. Needless to say, expect about a million new Vista vulnerabilities in the next week or so once word starts going around that Microsoft has this attitude...

Rethinking full-dislosure...

This morning I noticed that McAfee announced yesterday that they fully intend to once again enter the game of public vulnerability disclosure. Now, as you may or may not know, I'm a huge fan of full-disclsure; given my belief that full-disclosure is a productive activity, my first thought was "good for them - get that return on the 80 million dollar Foundstone investment." But then I started thinking through the subtleties of this, and I started questioning the appropriateness of an AV company participating in full-disclosure. How could it possibly be an issue, you ask? It'll take a bit of explanation to get there, but there could be a potential conflict of interest in this. It's a conflict of interest similar to the one I pointed out when Symantec bought SecurityFocus:

So, a few years ago Symantec bought SecurityFocus right? Symantec sells a bunch of stuff like AntiVirus, IPS, IDS, and so forth. And SecurityFocus hosts both the BugTraq and the vuln-dev mailing lists, both of which are now moderated by Symantec personnel - which means that Symantec has notice of upcoming vulnerabilities before any other product vendor out there. Do you think it would be worth Symantec's time to notify their IDS engineering team about new vulnerabilities before they approve disclosures according to their moderating process? I do. Do you think it'd be worth Symantec's time to "sit on" messages awaiting moderation for a period of time (maybe even a few hours) while their engineering team has a chance to develop signatures for a particular piece of exploit code or while they develop a technique to prevent that issue? I do. Conflict of interest. Now, to give Symantec due props, they're probably not doing this... But do we have assurances to that effect? Maybe they reassure us somewhere, but I can't find it in their moderation policy...

It seems to me that there's something similar going on with McAfee... McAfee said this in their press release:

McAfee announced its reemergence in the field of vulnerability discovery and disclosure as a way to raise public awareness of potential points of attack... McAfee will also use its findings to help provide preemptive protection to its customers before targeted exploits can become serious problems.

So, McAfee will raise awareness about avenues of attack; that's one way of looking at it. Of course, some in our community would say that they're raising this awareness by creating new avenues of attack, which makes it somewhat less noble. You can choose to believe that or not, but it's certainly not an unheard of position to argue that bugfinding increases risk. McAfee says they're using their findings to provide preemptive protection, but some would argue that they are selling a solution to a problem that they helped to create. Is that a conflict of interest? Is it appropriate to both discover new vulnerabilities and sell solutions to the vulnerabilities you discover? As a staunch capitalist, I'm tempted to just say "yes" and be done with it. But it also seems to me that there's something to be said for avoiding "appearance of impropriety" - clearly there's a segment of reasoned, intelligent infosec luminaries who see McAfee as both creating risk and selling risk reduction... Maybe that's not McAfee's fault, but well... there it is.

Gartner's Magical Solution

As newly-appointed "Master of the Obvious", Gartner has gone on record to tell us all that breach disclosure is expensive. Well poke my eye and call me blinky!

And lest they be accused of criticizing without offering anything to help the situation, they've recommended a course of action that they say is cheap, easy to implement, and efficacious for prevention of exposure. Namely: HIPS, encryption, and audits. Oh yes, I'm perfectly serious. Gartner says that using all three of these technologies is 15-times less expensive than having to disclose a breach:

A company with at least 10,000 accounts to protect can spend, in the first year, as little as $US6 per customer account for just data encryption, or as much as $US16 per customer account for data encryption, host-based intrusion prevention, and strong security audits combined

One might question what these technologies have to do with each other - or why encryption is more complimentary to auditing than say firewalls. But that aside, these are the technologies they've chosen, and by gum Gartner's sticking to them. Actually, I don't doubt that they are (when compared directly) less expensive than breach disclosure. However, Gartner's Magical Formula (TM) in my opinion completely misses the point - in fact, if you were to follow their instructions literally, these instructions are actually somewhat dangerous. Specifically, while encryption of data may prevent you from having to disclose under certain very restrictive situations, it depends entirely on how you apply it. Moreover, while encryption may have some benefit, HIPS and auditing do nothing to prevent you from having to disclose in the event of a breach, and they do nothing in terms of preventing the breaches from occuring - at least via the most common vehicle we've seen to date. So, in most cases, if you followed Gartner's advice and then had a breach - it'll still cost you what it originally would have, but now you'll pay extra for the "not helping you do anything" measures that Garter's encouraged you to buy.

Look, the number one way that disclosure come about is laptop theft. Say for example that I put a database of New York residents' Social Security numbers, names and addresses on my laptop. I then install a HIPS product and "lose" the laptop in Penn station. Do I have to disclose to those folks that their data was lost? Yes. Does having a HIPS prevent me from having to disclose? No. How about if I just had an auditor come through and look over my machine right before I donated it to the homeless? Um, guess what - I still have to disclose. So, in the context of preventing disclosure - these measure are, again, valueless. I suppose that someone could argue that having HIPS and audits would prevent compromise from happening some other way (like from some hacker attacking the machine over the network), but how many disclosures have you seen recently that result from hacker activity? Some, but it's pretty rare...

Now, encryption is a different (but more complicated) story - in some cases (SB1386), encryption will provide safe harbor for disclosure. However, under something like DATA (currently in review by the House Judiciary Committee), safe harbor is only provided when a FIPS 140-2 certified module is used (same if you're a federal agency like the VA.) Where's that in Gartner's Magic Formula?

What really gets me fired up about this is the fact that Gartner testified before congress and stated this same foolishness. Lawmakers aren't going to be technically saavy enough to see that this is just wind... I ask it again: why are we listening to Gartner about data loss? Why not listen to someone who actually has some skin in the game?

A "Must Read" Over at the Illuminata Blog

Awesome piece about Microsoft's "Save as PDF" feature (and Adobe's reaction) by Jonathan Eunice over at Illuminata Perspectives:

Adobe Systems has discovered, to its dismay, that when you publish a file format as an open standard, other companies may decide to implement tools that write to, or work with, that standard. And no matter how open or standard you want to promote your format, you may often at the same time want to exercise a proprietary prerogative over who uses that standard, and how.

A highly recommended read...

Forbes Takes FUDmongery to Task

I'm glad that the mainstream press is starting to wake up to the FUD that people like Verisign, Symantec, and McAfee are pumping out. The Forbes article Fraidy Cat Marketing describes in detail how companies use things like the Sober worm, Kama Sutra, and so on (err... phone-borne malware perhaps) to generate product buzz.

Have you ever seen a stronger admission of guilt than this quote from Vincent Weafer over at Symantec:

"To get attention, you pick something new and say the sky's falling down,"

It's true... And props to Symantec for admitting that they're doing it. Now if they could just spin it down for a bit...

Humorous Press Release

So, in case you missed it, the other day MicroWorld put out a press release for the eConceal product. For some reason, the first sentence ("MicroWorld Technologies launched its futuristic, enterprise class firewall eConceal") caught my attention (due, I think, to the fact that "futuristic" struck me funny) and caused me to read on:

“eConceal empowers you with a multi-layered protection by Application Level filtering, Packet Level filtering and Stealth Mode,” said Govind Rammurthy, CEO, MicroWorld Technologies. “It’s like building a heavily guarded a digital fortress around you and then make it invisible as well! While every port is monitored with consistent vigil to prevent Port Scanning by attackers, each data packet is checked to see if it fulfills the filter criteria and rules.”

Is it just me, or is the idea of an invisible fortress riotously funny? Alright, guess it's just me...

Evidence that Mary Ann Doesn't Read the Michael Howard blog

In his entry "Security Analogies are Usually Wrong, Michael Howard does a bit of delving into the "software security by analogy" poing of view:

I usually roll my eyes when I hear statements like, “If [bridges|cars|airplanes] were built like software then…” because comparing physical items and software is just wrong. They are not the same thing, you cannot compare them.

Anyway, it's worth reading since he makes a very humorous counter-analogy. Of course, the reason that I think this is particularly humorous is that the next thing I read after it was the coverage of Mary Ann at the WWW2006 show:

"What if civil engineers built bridges the way developers write code?" she asked. "What would happen is that you would get the blue bridge of death appearing on your highway in the morning."

VA and E&Y: Soulmates....

You'd probably think that Ernst and Young's "misplacement" of the credit card data for 243,000 Hotel.com patrons was a security issue, but you'd be wrong. Someone uninformed about these things might mistakenly believe that when Veteran's Affairs lost information on 26.5 million people that there was a problem. But not so! You see, really this missing data is almost a non-issue. You see, these laptops not your oridinary "run of the mill" laptops - instead, they were protected by a veritable "iron wall" of protection: namely, a password in the case of E&Y and a proprietary data format in the case of VA.

You see, according to a memo by a VA representative, all that data containing medical information, personally identifiable data, etc. is in no jeopardy because the format of the file is proprietary - and, of course, therefore safe. You see, without "specialized tools" the data is in no danger. Without specialized text processing applications like "grep" and "wordpad," the data remains safely locked away from these shady perpetrators; the expensive nature of these tools, and the highly specialized skills required to operate them, are likely to be out of reach for most attackers.

According to the E&Y representative, E&Y's extensive "data lockdown procedures" require that a user enter a password before access to sensitive data is allowed; as with VA, given that advanced disk-analysis tools like "dd" are so expensive and the experts familiar with hard-disk removal technques are so hard to find, the data remains out of nefarious hands and out of the way of prying eyes. Behold the impregnable fortress of safety!

So thanks to both VA and E&Y for explaining to us all the mitigating factors surrounding this data loss. I was concerned about it before I found out the truth of the matter.

McAfee: "Ethics First" Apparently Isn't

You ever seen McAfee's business ethics pledge? In case you haven't, they call it "Ethics First" and they proclaim it loud and proud on their website:

We are committed to holding the highest ethical standards. Our business relationships with customers,
shareholders, employees, suppliers, and local communities must always be built on a foundation of integrity and trust. We call this commitment "Ethics First"— doing the right thing at all times in all circumstances...

This is, of course, particularly interesting against the backdrop of the investigation into McAfee's alleged potentially illegal backdating of options contracts to give executives a little extra payola. Although a number of firms are being investigated for this type of activity, McAfee's case is particularly eggregious given their previous history of general securities fraud that caused them to ante up $50 Mil to the SEC.

I find it interesting that McAfee announced their intention to be ethical and then gets mired in all this scandal; I mean, why make an ethics announcement at all if the executives are all openly engaged in various types of illegal activity? Usually, what I'd do in a case like this would be to go to their Standard of Ethical Conduct, point out all the places where they publicly lied, and generally laugh at them. However, this time I've decided to give McAfee a break. Rather than assume they're lying, I've decided to assume that they meant to honestly convey what they were up to but that something happened along the way... Maybe they're using strange definitions of words, maybe somebody in marketing "touched it up" before making it public, whatever. In any case, here's the breakdown:

And so on. There are, of course, tons more - but it's gets tired pointing them all out.